Presentation is loading. Please wait.

Presentation is loading. Please wait.

Four Lectures on Model Checking Tom Henzinger University of California, Berkeley.

Published byJodie Shields Modified over 8 years ago

Similar presentations

Presentation on theme: "Four Lectures on Model Checking Tom Henzinger University of California, Berkeley."— Presentation transcript:

1 Four Lectures on Model Checking Tom Henzinger University of California, Berkeley

2 Four Lectures on Model Checking: Lecture III 1 Eight model-checking problems: logic vs. automata, linear vs. branching, safety vs. liveness 2 Finite-state systems: six graph algorithms for model checking 3 Infinite-state systems: from graph algorithms to symbolic algorithms

3 Model-checking problem I |= S system modelsystem property satisfaction relation

4 Three important decisions when choosing system properties: 1operational vs. declarative: automata vs. logic 2may vs. must: branching vs. linear time 3prohibiting bad vs. desiring good behavior: safety vs. liveness The three decisions are orthogonal, and they lead to substantially different model-checking problems.

5 LinearBranching Safety STL LivenessLTL CTL Logics

6 Automata Safety:finite automata Liveness:omega automata Linear:language containment Branching:simulation

7 Automata Safety:finite automata Liveness:omega automata Linear:language containment for word automata Branching:language containment for tree automata

8 Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0  Sset of initial states   S  S transition relation  : S  PL(A) where the formulas of PL are  ::= a |    |   for a  A

9 (K,q) |= L M iff L(K,q)  L(M) Linear semantics of specification automata: language containment state-transition graph state of K specification automaton finite traces

10 Checking language containment between finite automata is PSPACE-complete ! L(K,q)  L(M) iff L(K,q)  complement( L(M) ) =  involves determinization (subset construction)

11 In practice: 1. require deterministic specification automata 2. use monitor automata 3. use branching semantics

12 Monitor Automata Syntax: same as specification automata, except also set E  S of error states Semantics: define L(M) s.t. runs must end in error states (K,q) |= C M iff L(K,q)  L(M) = 

13 (K,q) |= B M iff there exists a simulation relation R  Q  S s.t. (q,s)  R for some initial state s of M Branching semantics of specification automata: simulation states of K states of M

14 R  Q  S is a simulation relation iff (q,s)  R implies 1.[q] |=  (s) 2.for all q’ s.t. q  q’, exists s’ s.t. s  s’ and (q’,s’)  R. [Milner 1974]

15 Branching semantics of specification automata, alternative definition: trace-tree containment (K,q) |= B M iff T(K,q)  T(M) finite trace trees

16 Branching semantics of specification automata, alternative definition: game model vs. specification (K,q) |= B M iff there exists a winning strategy of M against (K,q)

17 Strategy G of M against (K,q): function from finite runs of K that start in q to states of M such that - G(  )  S 0 - if G(q 0 …q n ) = s and G(q 0 …q n+1 ) = s', then s  s'. G is winning if - if G(q 0 …q n ) = s, then [q n ] = [s].

18 (K,q) |= L MM language contains (K,q) : exponential check (K,q) |= B MM simulates (K,q) : quadratic check   X involves only traces (hence linear !) involves states (hence branching !)

19 In practice, simulation is usually the “right” notion. (If there is language containment, but not simulation, this is usually accidental, not by design.)

20 -safety & liveness (infinite runs !) -specification vs. monitor automata -linear (language containment) vs. branching (simulation) semantics Omega Automata

21 Specification Omega Automata Syntax as for finite automata, in addition one of the following acceptance conditions: Buchi:BA  S coBuchi:CA  S Streett:SA  2 S  2 S Rabin:RA  2 S  2 S

22 Language L(M) of specification omega-automaton M = (S, S 0, , , A ) : infinite trace t 0, t 1,...  L(M) iff there exists an infinite run s 0  s 1 ... of M such that 1. s 0  s 1 ... satisfies A 2. for all i  0, t i |=  (s i )

23 Let Inf(s) = { p | p = s i for infinitely many i }. The infinite run s satisfies the acceptance condition A iff Buchi:Inf(s)  BA   coBuchi:Inf(s)  CA Streett:for all (l,r)  SA, if Inf(s)  l   then Inf(s)  r   Rabin:for some (l,r)  RA, Inf(s)  l =  and Inf(s)  r  

24 finite:  FA Buchi:  BA coBuchi:  CA Streett:  (  l   r) Rabin:  (   l   r)

25 (K,q) |= L M iff L(K,q)  L(M) Linear semantics of specification omega automata: omega-language containment infinite traces

26 Response specification automaton :  (a   b) assuming (a  b) = false a bb b aa s1s1 s2s2 s3s3 s0s0 Buchi condition { s 0, s 3 }

27 Response monitor automaton :  (a   b) assuming (a  b) = false a bb s1s1 s2s2 Buchi condition { s 2 } s0s0 true

28 a aa s0s0 s1s1 Buchi condition { s 0 } No coBuchi condition  a Streett condition { ({s 0,s 1 }, {s 0 }) } Rabin condition { ( , {s 0 }) }

29 a aa s0s0 s1s1 No Buchi condition coBuchi condition { s 0 }  a Streett condition { ({s 1 },  ) } Rabin condition { ({s 1 }, {s 0,s 1 }) }

30 a aa s0s0 s1s1 Buchi condition { s 2 }  a a s2s2

31 -Buchi and coBuchi automata cannot be determinized -Streett and Rabin automata can be determinized nondeterministic Buchi = deterministic Streett = deterministic Rabin = nondeterministic Streett = nondeterministic Rabin = omega-regular [Buchi 1960]

32 Omega automata are strictly more expressive than LTL. Omega-automata:omega-regular languages LTL: counter-free omega-regular languages 

33 Omega automata:omega-regular languages = second-order theory of monadic predicates & successor = omega-regular expressions LTL: counter-free omega-regular languages = first-order theory of monadic predicates & successor = star-free omega-regular expressions 

34 atrue (  p) ( p    p   (p   p)   (p  a)) (  p) ( p(0)   p(1)  (  t) (p(t)  p(t+2))  (  t) (p(t)  a(t))) (a; true) 

35 Structure of the Omega-Regular Languages Streett = Rabin Buchi coBuchi FinitecoFinite

36 Structure of the Omega-Regular Languages Streett = Rabin Buchi coBuchi FinitecoFinite counter-free

37 Structure of the Counter-free Omega-Regular Languages    finite boolean combinations of  and 

38 The location of a linear-time property in the Borel hierarchy indicates how hard (theoretically as well as conceptually) the corresponding model-checking problem is.

39    finite boolean combinations of  and  safety weakly fair evty. strongly fair eventuality

40 (K,q) |= L M iff L(K,q)  L(M) Branching semantics of specification omega automata: infinite trace-tree containment infinite trace trees ["Fair simulation"; H, Kupferman, Rajamani 1997]

41 Branching semantics of specification omega automata, alternative definition: game model vs. specification (K,q) |= B M iff there exists a winning strategy of M against (K,q). Strategy G is winning if - [G(q 0 …q n )] = [q n ] - for all infinite fair runs q 0 q 1 … of K, G(q 0 ) G(q 0 q 1 ) G(q 0 q 1 q 2 ) …  L(M).

42 a d b c a d b c d b c |= B

43 a d bc a d b d c d

44 Model-checking problem I |= S system model: state-transition graph system property: -safety v. weak v. strong fairness -logic v. spec v. monitor automata -linear v. branching

45 Model-checking problem I |= S system model: state-transition graph system property: -safety v. weak v. strong fairness -logic v. spec v. monitor automata -linear v. branching easiest harder hard

46 Model-Checking Algorithms = Graph Algorithms

47 1Safety: -solve: STL (  U model checking), finite monitors (  emptiness) -algorithm: reachability (linear) 2Eventuality under weak fairness: -solve: weakly fair CTL (   model checking), Buchi monitors (  emptiness) -algorithm: strongly connected components (linear) 3Liveness: -solve: strongly fair CTL, Streett monitors (  (    ) emptiness) -algorithm: recursively nested SCCs (quadratic)

48 From specification automata to monitor automata: determinization (exponential) + complementation (easy) From LTL to monitor automata: complementation (easy) + tableau construction (exponential)

49 B1 Simulation: relation refinement (quadratic) B2 Weakly fair simulation: Buchi game (quadratic) B3 Strongly fair simulation: Streett game (quadratic in structures, exponential in fairness constraints)

50 Six Algorithms 1Reachability 2Strongly connected components 3Recursively nested SCCs 4Tableau construction 5Relation refinement 6Buchi games 7Streett games 8Streett determinization

51 Finite Emptiness Given: finite automaton (S, S 0, , , FA) Find: is there a path from a state in S 0 to a state in FA ? Solution: depth-first or breadth-first search

52 Application 1:STL model checking Application 2:finite monitors

53 Buchi Emptiness Given: Buchi automaton (S, S 0, , , BA) Find: is there an infinite path from a state in S 0 that visits some state in BA infinitely often ? Solution: 1. Compute SCC graph by depth-first search 2. Mark SCC C as fair iff C  BA   3. Check if some fair SCC is reachable from S 0

54 Application 1:CTL model checking over weakly-fair transition graphs (note: really need multiBuchi) Application 2:Buchi monitors

55 Streett Emptiness Given: Streett automaton (S, S 0, , , SA) Find: is there an infinite path from a state in S 0 that satisfies all Streett conditions (l,r) in SA ? Solution: check if S 0  RecSCC (S, , SA)  

56 function RecSCC (S, , SA) : X :=  for each C  SCC (S,  ) do F :=  if  C   then for each (l,r)  SA do if C  r   then F := F  (l,r) else C := C \ l if F = SA then X := X  pre * (C) else X := X  RecSCC (C,  C, F) return X

57 Complexity n number of states m number of transitions snumber of Streett pairs Reachability:O(n+m) SCC:O(n+m) RecSCC:O((n+m) · s 2 )

58 Application 1:CTL model checking over strongly-fair transition graphs Application 2:Streett monitors

59 Tableau Construction Given: LTL formula  Find: Buchi automaton M  such that L(M  ) = L(  ) [Fischer & Ladner 1975; Manna & Wolper 1982] monitors subformulas of 

60 Fischer-Ladner Closure of a Formula Sub (a)= { a } Sub (  )={  }  Sub (  )  Sub (  ) Sub (  )={  }  Sub (  ) Sub (   )={   }  Sub (  ) Sub (  U  )={  U ,  (  U  ) }  Sub (  )  Sub (  ) | Sub (  ) | = O(|  |)

61 s  Sub (  ) is consistent iff -if (  )  Sub (  ) then (  )  s iff   s and   s -if (  )  Sub (  ) then (  )  s iff   s -if (  U  )  Sub (  ) then (  U  )  s iff either   s or   s and  (  U  )  s

62 Tableau M  = (S, S 0, , , BA) S...set of consistent subsets of Sub (  ) s  S 0 iff   s s  t iff for all (   )  Sub (  ), (   )  s iff   t  (s)... conjunction of atomic observations in s and negated atomic observations not in s For each (  U  )  Sub (  ), BA contains { s |   s or (  U  )  s }

63  = (  a) U (  b) ,    a,  a ,    a, a   b, b,  b

64  = (  a) U (  b) ,    a,  a ,    a, a   b, b,  b   a,  a  b, b,  b   a, a  b, b,  b  b, b,  b

65  = (  a) U (  b) ,    a,  a ,    a, a   b, b,  b   a,  a  b, b,  b   a, a  b, b,  b  b, b,  b  a,  a  b, b,  b  a, a  b, b,  b

66  = (  a) U (  b) ,    a,  a ,    a, a   b, b,  b   a,  a  b, b,  b   a, a  b, b,  b  b, b,  b  a,  a  b, b,  b  a, a  b, b,  b

67 Size of M  is O(2 |  | ). CTL model checking:linear / quadratic LTL model checking:PSPACE-complete

Download ppt "Four Lectures on Model Checking Tom Henzinger University of California, Berkeley."

Similar presentations

Model Checking Lecture 1.

Model Checking Lecture 1.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Part 3: Safety and liveness

Part 3: Safety and liveness
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.

1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.
Determinization of Büchi Automata

Determinization of Büchi Automata
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.

 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
Finite Automata Great Theoretical Ideas In Computer Science Anupam Gupta Danny Sleator CS 15-251 Fall 2010 Lecture 20Oct 28, 2010Carnegie Mellon University.

Finite Automata Great Theoretical Ideas In Computer Science Anupam Gupta Danny Sleator CS Fall 2010 Lecture 20Oct 28, 2010Carnegie Mellon University.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.
Games, Times, and Probabilities: Value Iteration in Verification and Control Krishnendu Chatterjee Tom Henzinger.

Games, Times, and Probabilities: Value Iteration in Verification and Control Krishnendu Chatterjee Tom Henzinger.
Witness and Counterexample Li Tan Oct. 15, 2002.

Witness and Counterexample Li Tan Oct. 15, 2002.
A temporal logic for calls and returns P. Madhusudan University of Pennsylvania Joint work with Rajeev Alur and Kousha Etessami Talk at HCES 2004, Philadelphia.

A temporal logic for calls and returns P. Madhusudan University of Pennsylvania Joint work with Rajeev Alur and Kousha Etessami Talk at HCES 2004, Philadelphia.
Review of the automata-theoretic approach to model-checking.

Review of the automata-theoretic approach to model-checking.

Similar presentations

Ads by Google