1. www.sti-innsbruck.at © Copyright 2008 STI INNSBRUCK www.sti-innsbruck.at Intelligent Systems Model Checking and Theorem Proving slides by Gulay Unel

2. www.sti-innsbruck.at 2 Overview Model Checking Theorem Proving

3. www.sti-innsbruck.at Model Checking - Overview Introduction Models LTL CTL Other logics Model Checking 3

4. www.sti-innsbruck.at Introduction Model checking is an automated technique that, given a finite-state model of a system and a formal property, checks whether this property holds for (a given state in) that model Formally: M ⊨ Ф where the model M represents a design, and the property Ф formalizes its correctness criteria Model checking focuses mostly on automatic decision procedures The model is often restricted to a finite state transition system Properties are expressed in a propositional logic such as: LTL, CTL for which finite-state model checking is known to be decidable Note that model checking problem is not limited to finite state systems or propositional logics 4

5. www.sti-innsbruck.at Model: Transition System A transition system TS is a tuple (S, →, I, AP, L) where –S is a set of states –→ ⊆ S × S –I ⊆ S is a set of initial states –AP is a set of atomic propositions –L: S → 2 AP is a labeling function An execution: π = s 0, s 1,... such that –for every i ≥ 0, s i → s i+1 –s 0 ∈ I Trace of an execution: sequence of sets of atomic propositions, trace (π) = L(s 0 ), L(s 1 ),... Traces(TS): set of all traces of all executions of TS, it defines the observable behaviour of TS 5

6. www.sti-innsbruck.at Property: Temporal Logic The properties of transition systems are expressed in temporal logics, most often in propositional: –Linear Time Temporal Logic (LTL) –Branching Time Temporal Logic (CTL) In all of the logics the atomic formulas are the atomic propositions from AP Each state s in a model TS has a set of atomic propositions L(s) that are true in that state, all the other atomic propositions are false in s 6

7. www.sti-innsbruck.at Syntax of LTL propositional logic – true – a, b, … ∈ AP –  α, α  β temporal operators – X α : neXt step fulfills α – F α : sometimes in the Future α will hold – G α : α Globally holds – α U β : α holds Until β holds linear temporal logic is a logic for describing linear time properties 7

8. www.sti-innsbruck.at Derived Operators false ≡ true α  β ≡  (  α   β) α  β ≡  α  β α  β ≡ ( α  β)  ( β  α) precedence order: the unary operators bind stronger than the binary ones.  and X bind equally strong. U takes precedence over , , and  , X, F, G > U > , , ,  8

9. www.sti-innsbruck.at Examples – Properties of a traffic light the light is never red and green:  (red  green ) whenever the light is red, it cannot become green immediately afterwards: red   X green eventually, the light becomes green: F green 9

10. www.sti-innsbruck.at Practical properties in LTL Reachability –reachability: F α –conditional reachability: α U β –reachability from any state: not expressible Safety: G α Liveness: G( α  F β ) and others Fairness: G F α and others 10

11. www.sti-innsbruck.at Semantics over Words The language induced by LTL formula α over AP = {a1, …, an} is: L( α ) = { w ∈ (2 AP ) w | M ⊨ α } where ⊨ is defined as follows: (let w=A 0 A 1 A 2... and w[i] = A i A i+1 A i+2...) w ⊨ true w ⊨ a i iff a i ∈ A 0 w ⊨ α  β iff w ⊨ α and w ⊨ β w ⊨  α iff w ⊭ α w ⊨ X α iff w[1]=A 1 A 2 A 3... ⊨ α w ⊨ F α iff  j ≥ 0. w[j] ⊨ α w ⊨ G α iff  j ≥ 0. w[j] ⊨ α w ⊨ α U β iff  j ≥ 0. w[j] ⊨ β and  0 ≤ i < j. w[i] ⊨ α 11

12. www.sti-innsbruck.at Semantics for Transition Systems Semantics is defined via set inclusion, a system satisfies a formula iff all traces are allowed w.r.t. The formula TS ⊨ α iff Traces(TS) ⊆ L( α ) 12

13. www.sti-innsbruck.at CTL in a nutshell Branching time model Path quantifiers (in addition to LTL) –A = “for all future paths” –E = “for some future path” Example: A F a = “inevitably a” 13 A F a a a a

14. www.sti-innsbruck.at Other logics : Mu - Calculus Logic of relations with fixed point operator Can express transitive closure Good for describing algorithms 14

15. www.sti-innsbruck.at Model Checking 15 input: –temporal logic (property) –transition system (model) output –yes –no + counterexample MC G(a  F b) yes no a b a b

16. www.sti-innsbruck.at LTL Model Checking 16 Vardi and Wolper –Apply Büchi’s technique to LTL –Automaton construction yields optimal decision algorithm Kurshan –Specify properties directly as automata example: infinitely often a (G F a) a true aa

17. www.sti-innsbruck.at CTL Model Checking Reasoning about properties of non-deterministic programs –branching time properties of programs –fixed point characterizations (Tarski) every monotonic function has least/greatest fixed point –key idea: apply to finite graphs, not infinite trees can directly calculate Tarski fixed points Applications –finite state machines in hardware –protocols –proved incorrectness of some published designs 17

18. www.sti-innsbruck.at Theorem Proving (Resolution) - Overview Introduction Proof System Resolution Heuristic Search Applications Other Topics 18

19. www.sti-innsbruck.at Introduction Unlike in model checking, theorem proving solves the general validity of a formula (whether a formula α holds in all models) ⊨ α Utilizes the proof inference technique in some proof system Problem is transformed to a sequent, a working representation for the theorem proving problem The simplest sequent used in natural deduction: ⊢ α A sequent holds when it satisfies its intended semantics For example, ⊢ α is derivable in natural deduction only if the formula α holds in any model 19

20. www.sti-innsbruck.at Proof System A proof system is collection of inference rules of the form: P 1 … P n name C where C is a conclusion sequent, and P i ‘s are premises sequents. If an infererence rule does not have any premises (called an axiom), its conclusion automatically holds. 20

21. www.sti-innsbruck.at Proof Tree A proof of a sequent is a proof tree whose nodes are sequents The root is the sequent to be proven (the theorem) For each sequent in the tree, all of its children are premises of some inference rule in which that sequent is a conclusion A proof is complete when each sequent in the proof tree has an associated inference rule There are two ways for building a proof tree: –Bottom-up –Top-down 21

22. www.sti-innsbruck.at Proof by Refutation (Proof by contradiction, reductio ad absurdum) Method: –Negate the theorem statement & add to axioms –Show that this set of sentences is self-inconsistent Use rules of inference to derive the False statement This means that the sentences can’t all be true at same time But the axioms are true Hence the negated theorem must be false Hence the theorem must be true 22

23. www.sti-innsbruck.at The Resolution Method Uses proof by refutation Requires sentences to be in a particular format –Conjunctive Normal Form [CNF] Uses a single inference rule –Generalised resolution rule Need to understand the unification method (this lecture) Method is refutation-complete –If a theorem is true and representable in first order logic Then this method will prove it [amazing result by Robinson, 1965] No guarantees given about how long it will take –Actually takes a long time to prove even fairly trivial theorems –Can use heuristics to speed it up 23

24. www.sti-innsbruck.at The Resolution Method - Overview Maintain a knowledge base of clauses –Start with the axioms and negation of theorem Resolve pairs of clauses –Using single rule of inference (generalised resolution) –Resolved sentence contains fewer literals Proof ends with the empty clause –Signifies a contradiction –Must mean the negated theorem is false Because the axioms are consistent –Therefore the original theorem was true 24

25. www.sti-innsbruck.at Resolution Rule Takes two clauses in Conjunctive Normal Form –Finds a literal L 1 in one and and a literal L 2 in the other –Such that the L 1 unifies with ¬L 2 (with substitution mu) –In the resolved clause, L 1 and L 2 are omitted –And the substitution is applied to the whole disjunction p 1 ∨... ∨ p j ∨... ∨ p m, q 1 ∨... ∨ q k ∨... ∨ q n, Subst(mu, (p 1 ∨... ∨ p j-1 ∨ p j+1 ∨... ∨ p m ∨ q 1 ∨... q k-1 ∨ q k+1 ∨... ∨ q n )) 25

26. www.sti-innsbruck.at Empty Clause Signifies False Resolution theorem proving ends –When the resolved clause has no literals (empty) This can only be because: –Two unit clauses were resolved One was the negation of the other (after substitution) –Example: q(X) and ¬q(X) or: p(X) and ¬p(simon) Hence if we see the empty clause –This was because there was an inconsistency –Hence the proof by contradiction has occurred 26

27. www.sti-innsbruck.at Aristotle Example All men are mortal and Socrates is a man Therefore Socrates is mortal Initial Knowledge Base –is_man(X) → is_mortal(X) [universal quant. assumed] –is_man(socrates) In Conjunctive Normal Form –¬is_man(X) ∨ mortal(X) –is_man(socrates) –¬is_mortal(socrates) [negation of theorem] 27

28. www.sti-innsbruck.at Reading off a Proof Backtrack and then Read Forward You said that all men were mortal. That means that for all things X, either X is not a man, or X is mortal [CNF step]. If we assume that Socrates is not mortal, then, given your previous statement, this means Socrates is not a man [first resolution step]. But you said that Socrates is a man, which means that our assumption was false [second resolution step], so Socrates must be mortal. 28

29. www.sti-innsbruck.at Alternative Search Tree 29 How do you read the proof for this search tree?

30. www.sti-innsbruck.at Dealing with Equality Approach 1: Add Knowledge Problem with equality: –was_president(george_bush) and was_president(g_bush) –will not unify (syntactically different constants) unification algorithm does not allow this unification –Even if we add to the knowledge base: george_bush = g_bush One alternative: add extra knowledge to KB –Axioms of equality (X=X, X=Y → Y=X, etc.) –Equality statements for each predicate: X = Y → P(X) = P(Y) –Must be done for all predicates 30

31. www.sti-innsbruck.at Dealing with Equality Approach 2: Add Demodulation rule Demodulation rule of inference –Takes two input sentences, one expressing an equality That sentence X = sentence Y –Finds a unification, mu, for X with a term, Z, in other clause –Applies mu to Y (not X) –Replaces occurrence of Z with Subst(mu, Y) X=Y, (…Z…) (…Subst(mu,Y)…) 31

32. www.sti-innsbruck.at Heuristic Search Overview Pure Resolution Search tends to be slow For interesting problems –Lots of clauses in the initial knowledge base –Each step adds a new clause (which can be used) –The search space gets too big We can choose any pair of clauses to try to resolve Heuristic type 1: –Intelligently choose which pair to resolve at any time Heuristic type 2: –Prune the space: Don’t allow resolution with certain clauses 32

33. www.sti-innsbruck.at Unit Preference Strategy Greedy search –Prefer to resolve certain clause types when possible Unit clauses: –Contain only a single literal, e.g., C = is_pm(tony) Idea: –We are looking for the smallest (empty) clause –Resolving with the unit clause keeps clauses small Effectiveness –Was very effective early on for simple problems –Doesn’t reduce branching rate for medium problems 33

34. www.sti-innsbruck.at Set of Support Strategy Maintain a set of (support) clauses, SOS –Only allow resolution steps involving members of SOS Idea: choose clauses not in SOS to be consistent –Hence a clause in SOS must eventually be resolved In order to find a path to the solution In practice: –Initially choose the SOS to be the negated theorem –Add any newly resolved clause to the SOS –Otter theorem prover uses this strategy 34

35. www.sti-innsbruck.at Input Resolution Strategy Special case of the SOS strategy Restrict the SOS to include –Only the clauses in the initial knowledge base Clearly brings down the search space size However, it is not complete for first order logic But it is complete for –Horn-clause knowledge bases –such as Prolog programs 35

36. www.sti-innsbruck.at Subsumption of Clauses One clause, C, subsumes clause D –If D is more specific than C (or, C is more general) Naïve check for subsumption –Find a unifying substitution allowing us to write D as a subset of the literals of C such that variables and constants in D become variables in C Example: –p(george) ∨ q(X) is subsumed by p(A) ∨ q(B) ∨ r(C) –Substitution: {george/A, X/B} –Second clause is clearly more general 36

37. www.sti-innsbruck.at Subsumption Strategy Whenever a new clause is found –Check that there is no existing clause which subsumes the new clause Idea: removing more specific clauses –Will not change the inconsistency in the database Because specific clauses can be inferred by the general ones –Hence the theorem will still be provable –But the search space will be reduced Have to be careful: –Subsumption checking can be expensive must be outweighed by the reduction in search space 37

38. www.sti-innsbruck.at Applications of Resolution Algebraic Theorem Proving Bill McCune and Larry Wos –Argonne National Laboratories –Writing first order provers such as EQP & Otter Solution of the Robbins Problem (boolean algs) –Stated over 60 years ago, mathematicians tried & failed –EQP solved this in 8 days in 1996 (after much devel) Also nice: axiomatisations of algebras –Attempt to find more succinct ways of describing algebras –Use Otter to prove that the new way Is equivalent to the normal way of axiomatising algebras 38

39. www.sti-innsbruck.at Applications Automated Conjecture Making Automated Theory Formation (HR) –Used in mathematical (and bioinformatics) domains Theories contain –concepts, examples, conjectures, proofs HR uses Otter to prove its theorems –Effective in algebraic domains –See notes for anti-associative algebra results In number theory –Otter is used as a filter (discard theorems it can prove) –Example conjectures made by HR (and proved by me): Sum of divisors is prime → number of divisors is prime Sum of divisors of a square is an odd number Perfect numbers are pernicious [and many more…..] 39

40. www.sti-innsbruck.at Other Topics in Automated Reasoning: Interactive Proving Interactive theorem proving –Necessary to interact with humans in order to prove theorems of any difficulty Two (of many) approaches: –Let a theorem prover do simple tasks while you develop a theory (e.g., Buchberger’s Theorema) –Allow user to follow a proof attempt and step in to guide the prover Needs visualisation tools to draw and annotate proof trees 40

41. www.sti-innsbruck.at Other Topics Higher Order Theorem Proving Exactly what you would expect –Expressing theorems in higher order logic See lecture 4 –And proving them (possibly interactively) HOL theorem prover –Larry Paulson’s group in cambridge –Has been used for verification tasks type safety for Java verification of crytographic protocols 41

42. www.sti-innsbruck.at Other Topics Databases and Competitions TPTP library by Geoff Sutcliffe & Christian Suttner –Thousands of problems for theorem provers –Used to benchmark first order theorem provers –Contains 6973 theorems at present –HR is only non-human to add to this library CASC competition by Sutcliffe et al. –Every year: who has the fastest/most accurate first order theorem prover on the planet? –Uses blind test from the TPTP library –Current chamption: Vampire By Voronkov and Riazonov in Manchester 42

43. www.sti-innsbruck.at Bibliography Model Checking and Theorem Proving: a Unified Framework, Thesis by Sergey Berezin, http://reports- archive.adm.cs.cmu.edu/anon/2002/CMU-CS-02-100.pdf.http://reports- archive.adm.cs.cmu.edu/anon/2002/CMU-CS-02-100.pdf A brief history of model checking, Talk by Ken McMillan, http://www.cs.uiowa.edu/~tinelli/classes/196/Spring07/notes/McMillan.p df. http://www.cs.uiowa.edu/~tinelli/classes/196/Spring07/notes/McMillan.p df Artificial Intelligence, Course by Jeremy Gow, http://www.doc.ic.ac.uk/~sgc/teaching/v231/. http://www.doc.ic.ac.uk/~sgc/teaching/v231/ Introduction to Model Checking, Course by René Thiemann, http://cl- informatik.uibk.ac.at/teaching/ws07/imc/schedule.php. http://cl- informatik.uibk.ac.at/teaching/ws07/imc/schedule.php 43