Symbolic Algorithms for Infinitestate Systems

1
Symbolic Algorithms forInfinite-state Systems

• Rupak Majumdar (UC Berkeley)
• Joint work with
• Luca de Alfaro (UC Santa Cruz)
• Thomas A. Henzinger (UC Berkeley)

2
Closed SystemsOne player games

• Reactive systems
• Transition systems
• S Set of states (possibly infinite)
• ? Set of actions
• post S X ? ? S Successor function

3
Lifted Transition Systems

• S Set of states
• ? Set of actions
• Post 2S X ? ? 2S Successor function
• Pre 2S X ? ? 2S Predecessor function

4
Observables

• Group interesting sets of states as observables
• Example
• Processor 1 is in critical section
• Thermostat temperature is between 32 and 40
• Observable transition system
• Transition system
• Set of observables ? O1,O2,, Oi?S

5
Symbolic Transition Systems

• S, ?, Pre, Post, ?
• Set of regions RR1,R2,, Ri?S
• ? ?S
• Pre, Post R X ??R
• ?,?,\ RXR?R
• ? RXR ? T,F

Computable
Symbolic semi-algorithm Start with regions in ?
and compute new regions using the operations above
6
Example Rectangular Hybrid Automata

• General class polyhedral hybrid systems Alur et
  al
• Other classes O-minimal systems, relational
  automata, Petri nets, ...

7
Verification Questions

• Q1 Reachability
• Is an unsafe state reachable? EF unsafe
• Q2 Linear Temporal Logic (regular properties)
• Is progress being made? E(GF fair ? F goal)
• Q3 ½ Branching temporal logic(ECTL,ACTL)
• Nested reachability EF (unsafe ? EF err1 ? EF
  err2)
• Q4 Branching temporal logic (CTL)
• Is progress possible? AG(tick -gt EXEF tick)

8
Q1 Reachability EF

• Is there a trajectory to an unsafe state?

R init loop if R ? final?? then yes if
Pre(R) ? R then no R R ? Pre(R) end
. . .
init
final
final ?Pre(final)
Similar algorithm by iterating Posts
Operations used Pre, ?
9
Q2 LTL Model Checking

• Example Repeated Reachability EGF
• Can a set of states be reached infinitely often?
• EGF final

init
final
R
. . . .
Operations Pre,?, ? with observables
R2 EXEF R1
R1 EXEF final
10
Q3 ECTL model cecking

• ECTL nested reachability
• EF(goal1 /\ EF(goal2) /\ EF(goal3))
• Operations Pre, ?, ?

EF (goal1 /\ EF goal2 /\ EF goal3)
EF goal3
EF goal2
goal1 /\ EF goal2 /\ EF goal3
11
Q4 CTL model checking

• CTL can all trajectories from init to goal1 be
  extended to goal2?
• AG(goal1 -gt EF goal2) EF (goal1 /\ EF goal2)
• Operations Pre, ?, ?, \

EF (goal1 /\ EF goal2)
EF goal2
12
Three Specification Logics

• L1 CTL (or, mu calculus)
• L2 ECTL or ACTL
• L3 LTL

13
Three Symbolic Semi-Algorithms

• A1 Close ? under pre, ?, ?, \
• A2 Close ? under pre, ?, ?
• A3 Close ? under pre, ?, ?obs
• (intersection with observables)

P0 ? for i 1,2,3, Pi Pi-1 ? pre(R) R
? Pi-1 ? R1 ? R2
R1,R2 ? Pi-1 ? R1 ? R2 R1,R2
? Pi-1 ? R1 \ R2 R1,R2 ?
Pi-1 until Pi Pi-1
14
Three State Equivalences

• E1 Bisimilarity
• E2 Similarity (mutual simulation)
• E3 Trace Equivalence

15
Similarity

• Similarity moves can be matched
• Bisimilarity Symmetric similarity
• Trace equivalence same languages

?
?
16
Triad
Symbolic algorithms
Game equivalences
Logics
L1 CTL L2 ECTL L3 LTL
A1 PreBoolean A2 Pre Positive
Boolean A3 Pre Positive Boolean
with ? only with observables
E1 Bisimilarity E2 Similarity E3 Trace
equivalence
17
Ai Symbolic semi-algorithm
Li State Logic
Model-checks
i 1,2,3
computes
induces
Ei State Equivalence
All regions definable by Li are generated by Ai
If Ai terminates, then symbolic model checking of
Li terminates
18
Ai Symbolic semi-algorithm
Li State Logic
Model-checks
i 1,2,3
computes
induces
Ei State Equivalence
States s and t are Ei equivalent iff for all
regions R generated by Ai, s?R iff t?R
Ai terminates iff Ei has finite index
19
Ai Symbolic semi-algorithm
Li State Logic
Model-checks
i 1,2,3
computes
induces
Ei State Equivalence
States s and t are Ei equivalent iff for all
formulas ? of Li, s satisfies ? iff t satisfies ?
If Ei has finite index, then Li can be model
checked on a finite quotient
20
Classification of systems STACS00

• STS1
• A1 terminates, finite bisimilarity, can model
  check CTL
• Ex Timed automata, O-minimal systems
• STS2
• A2 terminates, finite similarity, can model check
  ?CTL
• Ex 2D rectangular automata
• STS3
• A3 terminates, finite trace equivalence, can
  model check LTL
• Ex initialized rectangular automata

21
Open SystemsGames on Components

• Model synchronous interactions between components
• Games as models of interaction
• Can some component ensure a behavior no matter
  how the other components behave?

22
Concurrent Games

• Two players
• Finite set of states S
• Finite set of actions S
• Transition function SX S XS?S
• Controllable predecessor operation CPre

23
Example Rectangular Games

• AsarinMalerPnueliSifakis, HenzingerHorowitzM
• Components (players) are explicit in the model
• Suitable for modeling hybrid control problems

24
Control Questions

• Q1 Controllability
• Can player 1 force the game to goal? lt1gtF goal
• Q2 Linear Temporal Logic (regular properties)
• Omega regular games lt1gt(GF fair ? F goal)
• Q3 ½ alternating temporal logic (1ATL,2ATL)
• Nested controllability
• lt1gtF (unsafe ? lt1gtF err1 ? lt1gtF err2)
• Q4 Alternating temporal logic
• Nested boolean combinations of games
• lt1gtG(tick -gt lt2gtF tick)

25
Controllability lt1gtF

• Is there a trajectory to an unsafe state?

R final loop if R ? final?? then yes if
Cpre(R) ? R then no R R ? Cpre(R) end
init
. . .
final
final ?Cpre(final)
Operations used Cpre, ?
26
Three Specification Logics

• GL1 ATL (or, alternating mu calculus)
• GL2 1-ATL or 2-ATL
• GL3 ALTL

27
Three Symbolic Semi-Algorithms

• GA1 Close ? under Cpre, ?, ?, \
• GA2 Close ? under Cpre, ?, ?
• GA3 Close ? under Cpre, ?, ?obs
• (intersection with observables)

P0 ? for i 1,2,3, Pi Pi-1 ? Cpre(R)
R ? Pi-1 ? R1 ? R2
R1,R2 ? Pi-1 ? R1 ? R2 R1,R2
? Pi-1 ? R1 \ R2 R1,R2 ?
Pi-1 until Pi Pi-1
28
Three State Equivalences

• GE1 Alternating Bisimilarity AHKV
• GE2 Alternating Similarity (mutual simulation)
• GE3 Alternating Trace Equivalence

29
Alternating similarity

• Similarity moves can be matched
• Alternating (or game) similarity strategies can
  be matched

?
?
30
Alternating similarity

• Alternating (or game) similarity strategies can
  be matched

?
?
?
?
For example, if player 1 can force the game to
purple on the left, she can also force it to
purple on the right
31
Triad
Symbolic algorithms
Game equivalences
Logics
GL1 ATL GL2 1-ATL GL3 A-LTL
GA1 CpreBoolean GA2 Cpre Positive
Boolean GA3 Cpre Positive Boolean
with ? only with observables
GE1 Game bisimilarity GE2 Game
similarity GE3 Game trace
equivalence
32
GAi Symbolic semi-algorithm
GLi State Logic
Model-checks
i 1,2,3
computes
induces
GEi State Equivalence
All regions definable by GLi are generated by GAi
If GAi terminates, then symbolic model checking
of GLi terminates
33
GAi Symbolic semi-algorithm
GLi State Logic
Model-checks
i 1,2,3
computes
induces
GEi State Equivalence
States s and t are GEi equivalent iff for all
regions R generated by GAi, s?R iff t?R
GAi terminates iff GEi has finite index
34
GAi Symbolic semi-algorithm
GLi State Logic
Model-checks
i 1,2,3
computes
induces
GEi State Equivalence
States s and t are GEi equivalent iff for all
formulas ? of GLi, s satisfies ? iff t satisfies ?
If GEi has finite index, then GLi can be model
checked on a finite quotient
35
Classification of games CONCUR01

• GS1
• GA1 terminates, finite game bisimilarity, can
  model check ATL
• Ex Timed games
• GS2
• GA2 terminates, finite game similarity, can model
  check lt1gtATL
• Ex 2D rectangular games
• GS3
• GA3 terminates, finite game trace equivalence,
  can solve LTL control
• Ex initialized rectangular games

36
Summary

• The triad (algorithm, equivalence, logic)
  provides a useful tool to prove decidability and
  provide symbolic algorithms for infinite-state
  systems
• The characterization provides a symbolic model
  checking algorithm for rectangular games
• In CONCUR99, we gave a reductive solution

37
Control
Verification
Transition System
Game
Property ? Is there a run satisfying ??
Property ? How can we ensure ??
?
Algorithm to verify ?
Algorithm to control for ?
What is the relationship between these algorithms?
38
Algorithms for Verification and Control

• The actual algorithms for transition structures
  and games may be different
• Consider only LTL verification and control

39
Co-Büchi PropertyEventually Always p
a
a
b
c
s3
s2
s1
Verification EFG s1, s3
s1, s2, s3
Verification Algorithm m X. pre(X) Ç (n Y. s1,
s3 Æ pre(Y) )
So EFG p m X. pre(X) Ç (n Y. p Æ pre(Y))
40
Co-Büchi Games
a,a
a,a
2
a,a
c,a
s3
s2
s1
Verification EFG s1, s3
s1, s2, s3
So EFG p m X. pre(X) Ç (n Y. p Æ pre(Y))
Control h 1 iFG s1, s3
s1, s2, s3
Control Algorithm m X. cpre(X) Ç (n Y. p Æ
cpre(Y) ) ??
NO h1iFG p ? m X. pre(X) Ç (n Y. p Æ pre(Y))
41
Co-Büchi Games
a,a
a,a
a,a
c,a
s3
s2
s1
h1iFG p m X. n Y. (cpre(X) Ç (p Æ cpre(Y))
s1,s2, s3
42
So, when does a correspondence hold between
formulas for verification and control?
43
Control and Verification

• Verification 9 Y
• Does there exist a run satisfying Y?
• Control h 1 i Y
• Does player 1 have a strategy to enforce Y on all
  outcomes?

44
Algorithms

• We encode algorithms as m-calculus formulas using
  Pre (verification) or Cpre (control).
• Let f(Pre) be a m-calculus formula solving 9Y.
• When does f(Cpre) solve h1i Y?

45
Dual Verification 9Y, 8Y
Verification problem 9Y
Is there a run satisfying Y?
Equivalent to h1i Y if player 2 has no choice
Solved using pre operator Pre (T) s 9
a2S.d(s,a) 2 T
Dual verification problem 8Y
Do all runs satisfy Y?
Equivalent to h2i Y if player 1 has no choice
Solved using 8 pre operator 8 Pre (T) s 8
a2S.d (s, a) 2 T
46
Extremal Model Theorem LICS01
For an LTL formula Y, f(Cpre) solves h 1i Y
iff f(Pre) solves 9Y, and f(8 Pre) solves 8Y

• The verification questions are extreme cases
  of a game where one of the players has no
  choice of moves
• An algorithm that solves the extreme games
  correctly also solves all games in between

47
Co-Büchi Games
a
a
b
c
s3
s2
s1
Verification AFG s1, s3
s1, s2, s3
Verification Algorithm m X. 8 pre(X) Ç (n Y. p Æ
8 pre(Y) ) ?
NO m X. (8 pre(X) Ç (n Y. p Æ 8 pre(Y) )) s2,
s3
48
Solving LTL Games

• Standard LTL -gt m-calculus compilations
  EL86,Dam94 convertLTL -gt nondet w-automaton -gt
  m calculus
• In particular, resulting formula for co-Büchi
  formulas does not work for games
• Question How do we find formulas that solve
  games (hence work in both cases)?

49
Solving LTL Games

• Construction goes through deterministic
  Rabin-chain (parity) automata
• Given a game G and a formula Y
• Solve a related game on a product structure with
  Rabin-chain winning condition using the EJ91
  algorithm
• From this, construct a m-calculus algorithm
  solving the original game
• 2EXPTIME algorithm

50
Symbolic Strategy Synthesis

• Construction goes through deterministic
  Rabin-chain (parity) automata
• Given a game G and a formula Y
• Solve a related game on a product structure with
  Rabin-chain winning condition using the EJ91
  algorithm
• From this, construct a m-calculus algorithm
  solving the original game
• 2EXPTIME algorithm

51
Solving LTL Games

• This also gives a symbolic algorithm for LTL
  control
• Moreover, the winning strategy can be synthesized
  symbolically CONCUR01

52
Summary

• The symbolic approach shows how to engineer a
  model checker
• Export a Region interface implementing the
  symbolic operations
• The model checking algorithm is independent of
  the front end syntax and region representation
• E.g., BLAST toolkit for software
• Show how to do both symbolic verification and
  symbolic control and synthesize strategies
• Show the relationship between the algorithms