Model Checking

1
Model Checking Lecture 4 Tom Henzinger
2
Model-Checking Problem
I S
System model
System property
3
System Model
-state-transition graph -weak or strong
fairness constraints
4
System Properties
Temporal logics -STL (finite runs) ??, ?U
-CTL (infinite runs) ??, ?U, ?? -LTL
(infinite traces) ?, U Automata -specificati
on automata (trace containment) -monitor
automata (trace emptiness) -simulation automata
(relation between states)
5
A Classification of Properties
-Finite ? -coFinite ? (safety) -Buchi
?? (weak fairness) -coBuchi ?? -Streett ? (
?? ? ??) (strong fairness) -Rabin ? ( ?? ? ??)
6
The Omega-Regular Languages (Automata)
Streett Rabin
Buchi
coBuchi
Finite
coFinite
counter-free omega-regular (LTL)
7
Model-Checking Algorithms Graph Algorithms

1. Finite/coFinite reachability
2. Buchi/coBuchi strongly connected components
3. Streett/Rabin recursive s.c.c.s
4. Simulation relation refinement

8
Graph Algorithms
Given labeled graph (Q, ?, A, ) Cost
each node access and edge access has unit
cost Complexity in terms of Q n
... number of nodes ? m ... number of
edges Reachability and s.c.c.s O(mn)
9
The Graph-Algorithmic View is Problematic
-The graph is given implicitly (by a program) not
explicitly (e.g., by adjacency lists). -Building
an explicit graph representation is exponential,
but usually unnecessary (on-the-fly
algorithms). -The explicit graph representation
may be so big, that the unit-cost model is not
realistic. -A class of algorithms, called
symbolic algorithms, do not operate on nodes
and edges at all.
10
Symbolic Model-Checking Algorithms
Given a symbolic theory, that is, an
abstract data type called region with the
following operations pre, ?pre, post, ?post
region ? region ?, ?, \ region ? region ?
region ? , region ? region ? bool lt gt,
gt lt A ? region ?, Q region
11
Intended Meaning of Symbolic Theories
region ... set of states ?, ?, \, ?, ,
? ... set operations ltagt q ? Q q a
gtalt q ? Q q ? a pre (R) q ? Q (?
r ? R) q ? r ?pre (R) q ? Q (? r)( q ? r
? r ? R ) post (R) q ? Q (? r ? R) r ? q
?post (R) q ? Q (? r)( r ? q ? r ? R )

12
If the state of a system is given by variables of
type Vals, and the transitions of the system can
be described by operations Ops on Vals, then the
first-order theory FO (Vals, Ops) is an adequate
symbolic theory
region ... formula of FO (Vals, Ops) ?, ?,
\, ?, , ?, Q ... ?, ?, , ? validity, ? validity,
f, t pre (R(X)) (? X)( Trans(X,X) ?
R(X) ) ?pre (R(X)) (? X)( Trans(X,X) ?
R(X) ) post (R(X)) (? X)( R(X) ?
Trans(X,X) ) ?post (R(X)) (? X)(
Trans(X,X) ? R(X) )
13
If FO (Vals, Ops) admits quantifier elimination,
then the propositional theory ZO (Vals, Ops) is
an adequate symbolic theory each pre/post
operation is a quantifier elimination
14
Example Boolean Systems
-all system variables X are boolean -region
quantifier-free boolean formula over X -pre,
post boolean quantifier elimination
Complexity PSPACE
15
Example Presburger Systems
-all system variables X are integers -the
transition relation Trans(X,X) is defined using
only ? and ? -region quantifier-free formula of
(Z, ?, ?) -pre, post quantifier elimination
16
An iterative language for writing
symbolic model-checking algorithms
-only data type is region -expressions pre,
post, ?, ?, \ , ? , , lt gt, ?, Q -assignment,
sequencing, while-do, if-then-else
17
Example Reachability ??a
S ? R ltagt while R ? S do S S ? R R
pre(R)
18
A recursive language for writing
symbolic model-checking algorithms The
Mu-Calculus
??a (? R) (a ? pre(R)) ??a (? R) (a ?
?pre(R))
19
Syntax of the Mu-Calculus

• a ?a
• ? ? ? ? ? ?
• pre(?) ?pre(?)
• (?R) ? (?R) ?
• R

pre ?? ?pre ??
R ... region variable
20
Semantics of the Mu-Calculus
a E ltagt ?a E gtalt
? ? ? E ? E ? ? E ? ? ?
E ? E ? ? E pre(?) E
pre( ? E ) ?pre(?) E ?pre( ? E
)
E maps each region variable to a region.
21
Operational Semantics of the Mu-Calculus
(?R) ? E S ? repeat S
S S ?E(R?S) until SS
return S (?R) ? E S Q
repeat S S S ?E(R?S) until SS
return S
22
Denotational Semantics of the Mu-Calculus
(?R) ? E smallest region S such that
S ?E(R?S) (?R) ? E largest
region S such that S ?E(R?S)
These regions are unique because all operators on
regions (?, ?, pre, ?pre) are monotonic.
23
??a (? R) (a ? pre(R)) ??a (? R)
(a ? pre(R)) ??a (? R) (a ? ?pre(R)) ??a
(? R) (a ? ?pre(R)) b ?U a (? R) (a
? (b ? pre(R))) ??? a (? R) (a ? pre(
??R )) (? R) (a ? pre( (? S) (R ?
pre(S)) ))
24
-every ?/? alternation adds expressiveness -all
omega-regular languages in alternation depth
2 -model checking complexity O( (? ? (mn)) d
) for formulas of alternation depth d -most
common implementation (SMV, Mocha) use BDDs to
represent boolean regions
25
Binary Decision Diagrams
-canonical data structure for representing
quantifier-free boolean formulas -equivalence
checking in constant time -in practice, model
checkers spend more than 90 of their time in
pre-image or post-image computation -almost
synonymous with symbolic model checking -SAT
solvers competitive in bounded model checking,
which requires no termination (i.e., equivalence)
check
26
Binary Decision Tree
-order k boolean variables x1, ..., xk -binary
tree of height k1, each leaf labeled 0 or
1 -leaf of path left, right, right, ... gives
value of boolean formula if x10, x21, x31,
etc.
27
Binary Decision Diagram

1. Identify isomorphic subtrees (this gives a dag)
2. Eliminate nodes with identical left and right
   successors (for this, nodes need to be labeled
   with variable names)

For a given boolean formula and variable order,
the result is unique. (The choice of variable
order may make an exponential difference!)
28
Operations on BDDs
?, ? recursive top-down traversal in O(u ? v)
time if u and v are the number of
respective BDD nodes ?, ? (?x) ?(x) ?(0) ?
?(1) Variable reordering
29
Deciding Simulation
30
Relation Refinement
Given state-transition graph (Q, ?, A,
) Find for each state q ? Q, the
set sim(q) ? Q of states that simulate q
31

for each t ? Q do sim(t) u ? Q u
t while there are three states s, t, u such
that t ? s u ? sim(t) sim(s) ? post(u)
? do sim(t) sim(t) \ u assert
if u simulates t, then u ? sim(t)
Efficient enumerative implementation O(m ? n)
32
Equivalent Variation
for each t ? Q do sim(t) u ? Q u
t while there are three states s, t, u such
that sim(s) ? post(t) ? ? u ?
sim(t) sim(s) ? post(u) ? do sim(t)
sim(t) \ u assert s ? sim(s)
assert if u simulates t and t ? sim(s),
then u ? sim(t)
33
Symbolic Implementation
Partition ltagt a ? A and ltagt ? ? for
each R ? Partition do sim(R) R while there
are two regions R, S ? Partition such that R ?
pre(sim(S)) ? ? sim(R)\pre(sim(S)) ? ?
do R R ? pre(sim(S)) R R\pre(sim(S))
Partition (Partition \ R) ? R sim(R)
sim(R) ? pre(sim(S)) if R ? ? then
Partition Partition ? R
sim(R) sim(R)
34
-symbolic algorithm applies also to
infinite-state systems -it terminates iff there
is a finite quotient so that any two equivalent
states simulate each other