Model Checking in the Propositional -Calculus€¦ · Propositional -Calculus Branchingtime...

Model Checking in the Propositional µ-Calculus

Ka I Violet Pun

INF 9140 - Specification and Verification of Parallel Systems

13th May, 2011

Overview

Model Checking is a useful means to automatically ascertainthe specification of a system

Use logics to specify the properties of a systemUse a decision procedure to decide if the system satisfies thespecification

Propositional µ-Calculus

Branching time temporal logicExpressive logic: many branching time logics can be translatedinto this logicFully characterize the behaviour of finite-state processes

Tableau-based proof system

Top-down proofsDetermine whether states in a finite-state system satisfypropositions specified in µ-calculus

Violet Pun Model Checking in the Propositional µ-Calculus 2 / 24

Syntax

Grammar of the propositions

Φ ::= A | X | ¬Φ | Φ ∨ Φ | 〈a〉Φ | νX .Φ

formula {Φ, . . . , }atomic formulas A = {A, . . . , }propositional variables V = {X , . . . , }actions symbols Act = {a, . . . , }propositional connectives ¬ and ∨modal operator 〈a〉recursion operator ν


Syntax

Modal operators in µ-calculus are indexed by an action a

[a]Φ can be written as ¬〈a〉¬Φ

Φ ¬Φ

a a

Φ’

b

Figure: 〈a〉Φ

Φ

a a

Φ’

b

Φ

Figure: [a]Φ


Syntax

Recursion operators are used for recursive formula νX .Φ andµX .Φ,

ν is a greatest fixed point operator

µ is a least fixed point operator

µX .Φ is written as ¬νX .¬Φ[¬X/X ]

Syntactic Restrictions on Φ

Any occurrence of X in Φ must occur inside the scope of an evennumber of negation to maintain monotonicity


Transition System

Models of µ-calculus is a labelled transition system

A representation of operational behaviour of procecsses

〈S,Act,→〉

S is a set of states {s, . . . }Act is a set of actions {a, . . . }→ is a transition relation on S × Act × S, written as s

a−→ s ′

for some state s ′


Model of µ-calculus

Models for the µ-calculus is a quadruple of the form

〈S,Act,→,V 〉

〈S,Act,→〉 is a labelled transition system

V is a function, called valuation, maps each A ∈ A to sets ofstates where A holds


Semantics of the propositions

Semantics of the µ-calculus is written in the form JΦKe

JAKe = V (A)

JX Ke = e(X )

J¬ΦKe = S − JΦKe

JΦ1 ∨ Φ2Ke = JΦ1Ke ∪ JΦ2Ke

J〈a〉ΦKe = ϕa(JΦKe), where ϕa(S) = {s ′ | ∃s ∈ S .s ′ a−→ s}

JνX .ΦKe =⋃{S ⊆ S | S ⊆ JΦKe[X 7→ S ]}

Remarks

1 e is an environment which maps variables to sets of states

2 e[X 7→ S ] represents the environment e with variable Xreplaced by S


Lattice

For any set χ,〈2χ,⊆,∪,∩〉

is a complete lattice where

2χ a set

⊆ ordering relation

〈2χ,⊆〉 is a partially ordered set

∪ the least upper bound

∩ the greatest lower bound


Fixed points

A fixed point of a function φ over a lattice is

φ(S) = S , where S ⊆ χ

and a set of fixed points is written as

{S ⊆ χ | φ(S) = S}

A greatest fixed point, X, of φ is

X ∈ {S ⊆ χ | φ(S) = S}∃X ′,X ′ ∈ {S ⊆ χ | φ(S) = S},X ′ ⊆ X

A least fixed point, X, of φ is

X ∈ {S ⊆ χ | φ(S) = S}∃X ′,X ′ ∈ {S ⊆ χ | φ(S) = S},X ⊆ X ′


Fixed points

A function φ is monotone over a lattice if

X1 ⊆ X2

φ(X1) ⊆ φ(X2)

Tarski’s Fixed Point Theorem

If the function φ over a lattice is monotonic, then it has

Greatest fixed point νφ⋃{S ⊆ χ | S ⊆ φ(S)}

Least fixed point µφ⋂{S ⊆ χ | φ(S) ⊆ S}


Fixed points

For µ-calculus, given an environment e, a function φ is defined by

φ(S) = JΦKe[X 7→ S ]

Syntactic Restrictions on Φ

Any occurrences of X in Φ must occur inside the scope of an evennumber of negation

guarantees function φ over a lattice defined by 2S to bemonotonic, because

¬ is anti-monotonic

Hence, φ has a greatest fixed point νφ.


Fixed points

〈2S ,⊆,∪,∩〉 is finite

every monotonic function over a finite complete lattice iscontinuous

Kleene’s Fixed Point Theorem

The greatest/least fixed point of a continuous funtion φ

νφ =⋂∞

i=0 φi

µφ =⋃∞

i=0 φ′i

where φ0 = Sφi+1 = φ(φi )φ′0 = ∅

φ′i+1 = φ(φ′i )


Fixed points

!" = ⋃!!!! !′!

!" = ⋂!!!! !!

∅

!

!(!!)

⋂!!!! !!

⋃!!!! !′!

!(!′!)

! ⊆ ! ! ! = !}

! ⊆ ! ! ⊆ !(!)}

! ⊆ ! !(!) ⊆ !}

!" = ⋂ ! ⊆ ! ! ! = !} = ⋂ ! ⊆ ! !(!) ⊆ !}

!" = ⋃ ! ⊆ ! ! ! = !} = ⋃ ! ⊆ ! ! ⊆ !(!)}


The Tableau-Based Proof System

The proofs are conducted in a top-down fashion: conclusionsabove premises

A decision procedure to determine if states have propertiesspecified

Not necessary to examine every state in the system

Reuse information computated in one phase of the tableauconstruction process



Proof rules operate on sequents

Sequents

H `M s ∈ Φ

M is a model

s is a state from M

H is a set of hypotheses {s ′:Γ}s ′ a stateΓ a closed recursive formula

written as σ, . . . , for short



Tableau for a sequent σ is a maximal proof tree constructed by thetableau rules and having σ as the root

Given a sequent σ′ that is resulting from applying a rule to σ,

σ′ is the child of σσ is the parent of σ′

a sequent in a tableau is a leaf if it does not have any children

the height of a tableau is the length of the longest sequence〈σ0, σ1, . . . 〉



Definition

A leaf H ` s ∈ Φ is successful if

1 Φ ∈ A and s ∈ V (Φ), or

2 Φ is ¬A for some A ∈ A and s 6∈ V (A), or

3 Φ is ¬〈a〉Φ′ for some a and Φ′, or

4 Φ is νX .Φ′ when s : νX .Φ ∈ H for some X and Φ′

A tableau is successful when all its leaves are successful

A sequent σ has a proof if it has a successful tableau


Tableau rules for the propositional µ-calculus

R1

H ` s ∈ ¬¬Φ

H ` s ∈ Φ

R2

H ` s ∈ Φ1 ∨ Φ2

H ` s ∈ Φ1

R3

H ` s ∈ Φ1 ∨ Φ2

H ` s ∈ Φ2

R4

H ` s ∈ ¬(Φ1 ∨ Φ2)

H ` s ∈ ¬Φ1,H ` s ∈ ¬Φ2

R5

H ` s ∈ 〈a〉Φ(s′ ∈ {s′ | s a−→ s′})

H ` s′ ∈ Φ

R6

H ` s ∈ ¬〈a〉Φ({s1, s2, ...} = {s′ | s a−→ s′})

H ` s1 ∈ ¬Φ,H ` s2 ∈ ¬Φ, . . .

R7

H ` s ∈ νX .Φ(s : νX .Φ 6∈ H)

H′ ∪ {s : νX .Φ} ` s ∈ Φ[νX .Φ/X ]

R8

H ` s ∈ ¬νX .Φ(s : νX .Φ 6∈ H)

H′ ∪ {s : νX .Φ} ` s ∈ ¬Φ[νX .Φ/X ]

where H′ = H − {s′ : Γ | νX .Φ ≺ Γ}


Tableau rules for the propositional µ-calculus

R7

H ` s ∈ νX .Φ(s : νX .Φ 6∈ H)

H′ ∪ {s : νX .Φ} ` s ∈ Φ[νX .Φ/X ]

where H′ = H − {s′ : Γ | νX .Φ ≺ Γ}

A state satisifes a recursive property if it satisfies the unrolling ofthe property.

Assumptions involving formulas having the the recursiveformula as a subformula are removed.


Model Checking Algorithm

Example algorithm: a simple straightforward procedure


Model Checking Algorithm

The simple algorithm is not efficient

Exponential behaviour for formulas

Reason:

Nested modal operator

No provision for storing the reseults of sequents whose truthhas been determined


Possible solution

Save the result from the previous computation and look it uplater

Truth of sequents can be deduced solely based on the truth ofthe other sequents

Suppose that H ` s ∈ νX .Φ has a successful tableau. ThenH ∪ {s : νX .Φ} ` s ′ ∈ Γ has a successful tableau if and only ifH ` s ′ ∈ Γ does.


References I

[Cleaveland, 1990] Cleaveland, R. (1990).

Tableau-based model checking in the propositional mu-calculus.

Acta Informatica, 27:725–747.

[Emerson, 1997] Emerson, E. A. (1997).

Model checking and the mu-calculus.

In DIMACS Series in Discrete Mathematics, pages 185–214. AmericanMathematical Society.

[Nielson et al., 1999] Nielson, F., Nielson, H.-R., and Hankin, C. L.(1999).

Principles of Program Analysis.

Springer-Verlag.


Model Checking in the Propositional -Calculus€¦ · Propositional -Calculus Branchingtime...

Documents

Transcript of Model Checking in the Propositional -Calculus€¦ · Propositional -Calculus Branchingtime...