Presentation is loading. Please wait.

Presentation is loading. Please wait.

Quantitative Model Checking Radu Grosu SUNY at Stony Brook Joint work with Scott A. Smolka.

Published byDoreen Lambert Modified over 9 years ago

Similar presentations

Presentation on theme: "Quantitative Model Checking Radu Grosu SUNY at Stony Brook Joint work with Scott A. Smolka."— Presentation transcript:

1 Quantitative Model Checking Radu Grosu SUNY at Stony Brook Joint work with Scott A. Smolka

2 Model Checking ? Is system S a model of formula φ?

3 Model Checking S is a nondeterministic/concurrent system.  is a temporal logic formula. –in our case Linear Temporal Logic (LTL). Basic idea: intelligently explore S ’s state space in attempt to establish S |= .

4 recurrence diameter computation tree Monte Carlo: N( ,  ) independent samples Error margin  and confidence ratio  Monte Carlo Approach LTL

5 Linear Temporal Logic An LTL formula is made up of atomic propositions p, boolean connectives , ,  and temporal modalities X (neXt) and U (Until). Safety: “nothing bad ever happens” E.g. G(  (pc 1 =cs  pc 2 =cs)) where G is a derived modality (Globally). Liveness: “something good eventually happens” E.g. G( req  F serviced ) where F is a derived modality (Finally).

6 LTL Model Checking Every LTL formula  can be translated to a Büchi automaton B  whose language is the set of infinite words satisfying . Automata-theoretic approach: S |=  iff L ( B S )  L ( B  ) iff L ( B S  B  )   Checking non-emptiness is equivalent to finding an accepting cycle reachable from initial state (lasso).

7 Bernoulli Random Variable (coin flip) Value of Bernoulli RV Z: Z = 1 (success) & Z = 0 (failure) Probability mass function: p(1) = Pr[Z=1] = p z p(0) = Pr[Z=0] = 1- p z = q z Expectation: E[Z] = p z

8 Monte Carlo Approximation Problem: Compute the mean value μ Z of a random variable Z distributed in [0,1] when exact computation of μ Z proves intractable. with error margin  and confidence ratio . Solution: Compute an ( ,  ) -approximation of  Z :

9 Naive Solution Compute as the mean value of N independent random variables (samples) identically distributed according to Z : Compute N using the Zero-One estimation theorem: Problems: is unknown and can be large.

10 Stopping Rule Algorithm (SRA) Innovation: compute correct N without using Problem: is in most interesting cases too large. Theorem: E[N]  4 ln(  /  ) /  Z   ;

11 Optimal Approx Algorithm (OOA) Compute N using generalized Zero-One estimation: Apply sequential analysis (prediction/correction): 1. Compute assuming with SRA( ) 2. Compute  using and 3. Compute using to correctly estimate N. Expected number of samples is optimal to within a constant factor!

12 Monte Carlo Model Checking Sample Space: lassos in B S  B  Bernoulli random variable Z : –Outcome = 1 if rand. chosen lasso is not accepting –Outcome = 0 otherwise  Z = p Z = ∑ p i Z i (expect. of a nonaccepting lasso) where p i is lasso prob. (uniform random walk).

13 Lassos Probability Space L 1 = 11 L2 = 1244 L 3 = 1231 L4 = 12344 Pr[L 1 ]= ½ Pr[L 2 ]= ¼ Pr[L 3 ]= ⅛ Pr[L 4 ]= ⅛ q Z = L 1 + L 3 = 5  8 p Z = L 3 + L 4 = 3  8 12 4 3

14 QMC Algorithm input: ,  and Büchi automaton B; output: s.t. (1) = OAA( , , RL(B)); return where RL(B) performs a uniform random walk through B (storing states encountered in hash table) to obtain a random sample (lasso).

15 Properties of QMC Theorem: Given a Büchi automaton B, error margin ε, and confidence ratio δ, if QMC returns then with probabiliy 1- δ, the confidence interval (CI) [1 / (1+ε), 1 / (1- ε) ] covers the unknown lasso probability  Z. Corollary: In decision mode (DM) the CI is [1 / (1+ε), 1 ].

16 Properties of QMC Theorem: Given a Büchi automaton B having diameter D, error margin ε, and confidence ratio δ, QMC runs in DM in time O(N∙D) and uses space O(D), where N = 4 ln(2 / δ) / ε. Cf. DDFS which runs in O(2 |S|+|φ| ) time for B = B S  B .

17 Implementation Implemented DDFS and QMC in jMocha model checker for synchronous systems specified using Reactive Modules. Performance and scalability of QMC compares very favorably to DDFS.

18 (Deadlock freedom) DPh: Symmetric Unfair Version

19 (Starvation freedom) DPh: Symmetric Unfair Version

20 DPh: Asymmetric Fair Version (Deadlock freedom) δ = 10 -1 ε = 1.8*10 -4 N = 1257

21 DPh: Asymmetric Fair Version (Starvation freedom) δ = 10 -1 ε = 1.8*10 -4 N = 1257

22 Related Work Heimdahl et al.’s Lurch debugger. Mihail & Papadimitriou (and others) use random walks to sample system state space. Herault et al. use bounded model checking to compute an (ε,δ)-approx. for “positive LTL”. Probabilistic Model Checking of Markov Chains: ETMCC, PRISM, PIOAtool, and others.

23 Conclusions QMC is first randomized, Monte Carlo algorithm for the classical problem of temporal-logic MC. Future Work: Use BDDs to improve run time. Also, take samples in parallel! Open Problem: Branching-Time Temporal Logic (e.g. CTL, modal mu-calculus).

24 Model Checking ? Is system S a model of formula φ?

25 Talk Outline 1.Model Checking 2.Randomized Algorithms 3.LTL Model Checking 4.Optimal Monte Carlo Estimation 5.Quantitative Model-Checking (QMC) 6.Implementation & Results 7.Conclusions & Open Problem

26 diameter computation tree Size of S’s state transition graph is O(2 |s| )! Model Checking’s Fly in the Ointment: State Explosion Symbolic MC (OBDDs) Symmetry Reduction Partial Order Reduction Abstraction Refinement Bounded Model Checking

27 Randomized Algorithms Huge impact on CS: (distributed) algorithms, complexity theory, cryptography, etc. Takes of next step algorithm may depend on random choice (coin flip). Benefits of randomization include simplicity, efficiency, and symmetry breaking.

28 Randomized Algorithms Monte Carlo: may produce incorrect result but with bounded error probability. –Example: Rabin’s primality testing algorithm Las Vegas: always gives correct result but running time is a random variable. –Example: Randomized Quick Sort

29 Emptiness Checking Checking non-emptiness is equivalent to finding an accepting cycle reachable from initial state (lasso). Double Depth-First Search (DDFS) algorithm can be used to search for such cycles, and this can be done on-the-fly! s1s1 s2s2 s3s3 sksk s k-2 s k-1 s k+1 s k+2 s k+3 snsn DFS 2 DFS 1

30 Random Lasso (RL) Algorithm

Download ppt "Quantitative Model Checking Radu Grosu SUNY at Stony Brook Joint work with Scott A. Smolka."

Similar presentations

Model Checking Lecture 1.

Model Checking Lecture 1.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Model Checking and Testing combined

Model Checking and Testing combined
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Monte Carlo Model Checking Radu Grosu SUNY at Stony Brook Joint work with Scott A. Smolka.

Monte Carlo Model Checking Radu Grosu SUNY at Stony Brook Joint work with Scott A. Smolka.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
Part 3: Safety and liveness

Part 3: Safety and liveness
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
Timed Automata.

Timed Automata.
“Devo verificare un’equivalenza polinomiale…Che fò? Fò dù conti” (Prof. G. Di Battista)

“Devo verificare un’equivalenza polinomiale…Che fò? Fò dù conti” (Prof. G. Di Battista)
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
1 The Monte Carlo method. 2 (0,0) (1,1) (-1,-1) (-1,1) (1,-1) 1 Z= 1 If  X 2 +Y 2  1 0 o/w (X,Y) is a point chosen uniformly at random in a 2  2 square.

1 The Monte Carlo method. 2 (0,0) (1,1) (-1,-1) (-1,1) (1,-1) 1 Z= 1 If  X 2 +Y 2  1 0 o/w (X,Y) is a point chosen uniformly at random in a 2  2 square.

Similar presentations

Ads by Google