Four Lectures on Model Checking

1
Four Lectures on Model Checking
Tom Henzinger University of California, Berkeley
2
Four Lectures on Model Checking Lecture IV
1 Eight model-checking problems logic vs.
automata, linear vs. branching, safety vs.
liveness 2 Finite-state systems six graph
algorithms for model checking 3 Infinite-state
systems from graph algorithms to symbolic
algorithms
3
Model-checking problem
I S
system model state-transition graph
system property -safety v. weak
v. strong fairness -logic v. spec v. monitor
automata -linear v. branching
4
finite boolean combinations of ?? and ??
weakly fair
safety
??
?
?
??
strongly fair liveness
5
Model-checking problem
I S
system model state-transition graph
system property -safety v. weak
v. strong fairness -logic v. spec v. monitor
automata -linear v. branching
easiest harder hard
6
Model-Checking Algorithms Graph Algorithms
7

• Safety
• -solve STL (?U model checking),
  finite monitors (? emptiness)
• -algorithm reachability (linear)
• Eventuality under weak fairness
• -solve weakly fair CTL (?? model checking),
  Buchi monitors (?? emptiness)
• -algorithm strongly connected components
  (linear)
• Liveness
• -solve strongly fair CTL, Streett
  monitors ( ? (?????) emptiness)
• -algorithm recursively nested SCCs (quadratic)

8
From specification automata to monitor
automata determinization (exponential)
complementation (easy)
From LTL to monitor automata complementation
(easy) tableau construction (exponential)
9
B1 Simulation relation refinement
(quadratic) B2 Weakly fair simulation
Buchi game (quadratic) B3 Strongly fair
simulation Streett game (quadratic in
structures,
exponential in fairness constraints)
10
Six Algorithms

• Reachability
• Strongly connected components
• Recursively nested SCCs
• Tableau construction
• Relation refinement
• Buchi games
• Streett games
• Streett determinization

11
Finite Emptiness
Given finite automaton (S, S0, ?, ?, FA) Find
is there a path from a state in S0 to a state in
FA ?
Solution depth-first or breadth-first search
12
Application 1 STL model checking Application
2 finite monitors
13
Buchi Emptiness
Given Buchi automaton (S, S0, ?, ?, BA) Find
is there an infinite path from a state in S0 that
visits some state in BA infinitely often ?
Solution 1. Compute SCC graph by
depth-first search 2. Mark SCC C as fair iff
C ? BA ? ? 3. Check if some fair SCC is
reachable from S0
14
Application 1 CTL model checking over
weakly-fair transition graphs (note
really need multiBuchi) Application 2 Buchi
monitors
15
Streett Emptiness
Given Streett automaton (S, S0, ?, ?,
SA) Find is there an infinite path from a state
in S0 that satisfies all Streett conditions
(l,r) in SA ?
Solution check if S0 ? RecSCC (S, ?, SA) ? ?
16
function RecSCC (S, ?, SA) X ? for
each C ? SCC (S, ?) do F ? if
?C ? ? then for each (l,r) ? SA
do if C ? r ? ? then F F ?
(l,r) else C C \ l if F SA
then X X ? pre(C) else X X
? RecSCC (C, ?C, F) return X
17
Complexity
n number of states m number of
transitions s number of Streett pairs
Reachability O(nm) SCC O(nm) RecSCC O((nm
) s2)
18
Application 1 CTL model checking over
strongly-fair transition graphs Application
2 Streett monitors
19
Tableau Construction
Given LTL formula ? Find Buchi automaton
M? such that L(M?) L(?)
monitors subformulas of ?
Fischer Ladner 1975 Manna Wolper 1982
20
Fischer-Ladner Closure of a Formula
Sub (a) a Sub (???) ??? ? Sub (?) ?
Sub (?) Sub (??) ?? ? Sub (?) Sub (??)
?? ? Sub (?) Sub (?U?) ?U?, ?(?U?) ? Sub
(?) ? Sub (?)
Sub (?) O(?)
21
s ? Sub (?) is consistent iff
-if (???) ? Sub (?) then (???)
? s iff ? ? s and ? ? s -if (??) ? Sub (?)
then (??) ? s iff ? ? s -if
(?U?) ? Sub (?) then (?U?) ? s
iff either ? ? s or ? ? s and ?(?U?)
? s
22
Tableau M? (S, S0, ?, ?, BA)
S ... set of consistent subsets of Sub (?) s ?
S0 iff ? ? s s ? t iff for all (??) ? Sub
(?), (??) ? s iff ? ? t ?(s) ...
conjunction of atomic observations in s and
negated atomic observations not in s For each
(?U?) ? Sub (?), BA contains s ?
? s or (?U?) ? s
23
Size of M? is O(2?).
CTL model checking linear / quadratic LTL
model checking PSPACE-complete
24
Relation Refinement
Given state-transition graph K (Q, ?, A,
), specification automaton M (S, S0,
?, ?) Find for each state q ? Q,
the set sim(q) ? S of states that simulate q
for each t ? Q do sim(t) u ? S t
?(u) while there are three states s, t, u such
that t ? s u ? sim(t) sim(s) ? post(u)
? do sim(t) sim(t) \ u assert
if u simulates t, then u ? sim(t)
25
Complexity of relation refinement O(mn)
Bloom Paige H, H, Kopke 1995 Relation
refinement produces a maximal simulation relation
R. With fairness, it suffices to check if the
specification has a winning strategy G that
follows R
- qn G(q0qn) ? - for all infinite fair
runs q0q1 of K, G(q0) G(q0q1) G(q0q1q2)
? L(M).
Buchi game
26
Finite Emptiness
Given finite automaton (S, S0, ?, ?, FA) Find
is there a path from a state in S0 to a state in
FA ?
Solution depth-first or breadth-first search
O(mn)
27
Finite Games
Given finite game (S?, S?, S0, ?, ?,
FA) Find is there a strategy of the Or player
to get from a state in S0 to a state in FA
?
And nodes And player moves Or nodes Or
player moves
And-Or graph
Solution backward accumulation of winning
states O(nm)
28
Buchi Emptiness
Given Buchi automaton (S, S0, ?, ?, BA) Find
is there an infinite path from a state in S0 that
visits some state in BA infinitely often ?
Solution 1. Compute SCC graph by
depth-first search 2. Mark SCC C as fair iff
C ? BA ? ? 3. Check if some fair SCC is
reachable from S0
O(mn)
29
Buchi Games
Given Buchi game (S?, S?, S0, ?, ?, BA) Find
is there a strategy of the Or player to get from
a state in S0 to a state in BA infinitely often
?
Solution 1. Compute the states BA1 ? BA
from which there is an Or strategy to get
to BA 2. Compute the states BA2 ? BA1 from
which there is an Or strategy to get to
BA1 3. Etc. 4. Check if there is an Or
strategy to get from a state in S0 to a
state in BA?
O((mn)?n)
30
Model-Checking Algorithms Graph Algorithms

• Finite/coFinite reachability
• Buchi/coBuchi strongly connected components
• Streett/Rabin recursive s.c.c.s
• Simulation relation refinement
• Fair simulation game

31
Graph Algorithms
Given labeled graph (Q, ?, A, ) Cost
each node access and edge access has unit
cost Complexity in terms of Q n
... number of nodes ? m ... number of
edges Reachability and s.c.c.s O(mn)
32
The Graph-Algorithmic View is Problematic
-The graph is given implicitly (by a program) not
explicitly (e.g., by adjacency lists). -Building
an explicit graph representation is exponential,
but usually unnecessary (on-the-fly
algorithms). -The explicit graph representation
may be so big, that the unit-cost model is not
realistic. -A class of algorithms, called
symbolic algorithms, do not operate on nodes
and edges at all.
33
Symbolic Model-Checking Algorithms
Given a symbolic theory, that is, an
abstract data type called region with the
following operations pre, ?pre, post, ?post
region ? region ?, ?, \ region ? region ?
region ? , region ? region ? bool lt gt,
gt lt A ? region ?, Q region
34
Intended Meaning of Symbolic Theories
region ... set of states ?, ?, \, ?, ,
? ... set operations ltagt q ? Q q a
gtalt q ? Q q ? a pre (R) q ? Q (?
r ? R) q ? r ?pre (R) q ? Q (? r)( q ? r
? r ? R ) post (R) q ? Q (? r ? R) r ? q
?post (R) q ? Q (? r)( r ? q ? r ? R )

35
If the state of a system is given by variables of
type Vals, and the transitions of the system can
be described by operations Ops on Vals, then the
first-order theory FO (Vals, Ops) is an adequate
symbolic theory
region ... formula of FO (Vals, Ops) ?, ?,
\, ?, , ?, Q ... ?, ?, , ? validity, ? validity,
f, t pre (R(X)) (? X)( Trans(X,X) ?
R(X) ) ?pre (R(X)) (? X)( Trans(X,X) ?
R(X) ) post (R(X)) (? X)( R(X) ?
Trans(X,X) ) ?post (R(X)) (? X)(
Trans(X,X) ? R(X) )
36
If FO (Vals, Ops) admits quantifier elimination,
then the propositional theory ZO (Vals, Ops) is
an adequate symbolic theory each pre/post
operation is a quantifier elimination
37
Example Boolean Systems
-all system variables X are boolean -region
quantifier-free boolean formula over X -pre,
post boolean quantifier elimination
Complexity PSPACE
38
Example Presburger Systems
-all system variables X are integers -the
transition relation Trans(X,X) is defined using
only ? and ? -region quantifier-free formula of
(Z, ?, ?) -pre, post quantifier elimination
39
An iterative language for writing
symbolic model-checking algorithms
-only data type is region -expressions pre,
post, ?, ?, \ , ? , , lt gt, ?, Q -assignment,
sequencing, while-do, if-then-else
40
Example Reachability ??a
S ? R ltagt while R ? S do S S ? R R
pre(R)
41
A recursive language for writing
symbolic model-checking algorithms The
Mu-Calculus
??a (? R) (a ? pre(R)) ??a (? R) (a ?
?pre(R))
42
Syntax of the Mu-Calculus

• a ?a
• ? ? ? ? ? ?
• pre(?) ?pre(?)
• (?R) ? (?R) ?
• R

pre ?? ?pre ??
R ... region variable
43
Semantics of the Mu-Calculus
a E ltagt ?a E gtalt
? ? ? E ? E ? ? E ? ? ?
E ? E ? ? E pre(?) E
pre( ? E ) ?pre(?) E ?pre( ? E
)
E maps each region variable to a region.
44
Operational Semantics of the Mu-Calculus
(?R) ? E S ? repeat S
S S ?E(R?S) until SS
return S (?R) ? E S Q
repeat S S S ?E(R?S) until SS
return S
45
Denotational Semantics of the Mu-Calculus
(?R) ? E smallest region S such that
S ?E(R?S) (?R) ? E largest
region S such that S ?E(R?S)
These regions are unique because all operators on
regions (?, ?, pre, ?pre) are monotonic.
46
??a (? R) (a ? pre(R)) ??a (? R)
(a ? pre(R)) ??a (? R) (a ? ?pre(R)) ??a
(? R) (a ? ?pre(R)) b ?U a (? R) (a
? (b ? pre(R))) ??? a (? R) ?? (a ?
pre(R)) (? R) (? S) ((a ?
pre(R)) ? pre(S))
47
-every ?/? alternation adds expressiveness -all
omega-regular languages in alternation depth
2 -model checking complexity O( (? ? (mn)) d
) for formulas of alternation depth d -most
common implementation (SMV, Mocha) use BDDs to
represent boolean regions
48
Binary Decision Diagrams
-canonical data structure for representing
quantifier-free boolean formulas -equivalence
checking in constant time -in practice, model
checkers spend more than 90 of their time in
pre-image or post-image computation -almost
synonymous with symbolic model checking -SAT
solvers superior in bounded model checking, which
requires no termination (i.e., equivalence) check

49
Binary Decision Tree
-order k boolean variables x1, ..., xk -binary
tree of height k1, each leaf labeled 0 or
1 -leaf of path left, right, right, ... gives
value of boolean formula if x10, x21, x31,
etc.
50
Binary Decision Diagram

• Identify isomorphic subtrees (this gives a dag)
• Eliminate nodes with identical left and right
  successors (for this, nodes need to be labeled
  with variable names)

For a given boolean formula and variable order,
the result is unique. (The choice of variable
order may make an exponential difference!)
51
(x ? y) ? (x' ? y') Variable order x, y, x', y'
x
0
1
0
y
x'
0
1
1
y'
0
1
0
1
52
Operations on BDDs
?, ? recursive top-down traversal in O(u ? v)
time if u and v are the number of
respective BDD nodes ?, ? (?x) ?(x) ?(0) ?
?(1) Variable reordering
53
Model Checking
From Finite-state to Hybrid Systems
-symbolic algorithms apply also to infinite-state
systems -important new question termination