Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL.
Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
-
Upload
lorraine-shaw -
Category
Documents
-
view
222 -
download
0
Transcript of Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
![Page 1: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/1.jpg)
Model Checking
Lecture 3
Tom Henzinger
![Page 2: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/2.jpg)
Model-Checking Problem
I |= S
System model System property
![Page 3: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/3.jpg)
-state-transition graph
-weak or strong fairness constraints
System Model
![Page 4: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/4.jpg)
Temporal logics
-STL (finite runs) : , U
-CTL (infinite runs) : , U,
-LTL (infinite traces) : , U
Automata
-specification automata (trace containment)
-monitor automata (trace emptiness)
-simulation automata (relation on finite runs)
System Properties
![Page 5: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/5.jpg)
Acceptance Conditions
-finite automata:
-Buchi automata:
-coBuchi automata:
-Streett automata: ( )
-Rabin automata: ( )
![Page 6: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/6.jpg)
Response specification automaton :
(a b) assuming (a b) = false
a b
ba
s1
s2
s3
s0
Buchi condition { s0, s3 }
![Page 7: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/7.jpg)
Response monitor automaton :
(a b) assuming (a b) = false
a b
s1 s2
Buchi condition { s2 }
s0
true
![Page 8: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/8.jpg)
a a
s0s1
Buchi condition { s0 }
No coBuchi condition
a
Streett condition { ({s0,s1}, {s0}) }
Rabin condition { (, {s0}) }
![Page 9: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/9.jpg)
a a
s0s1
No Buchi condition
coBuchi condition { s0 }
a
Streett condition { ({s1}, ) }
Rabin condition { ({s1}, {s0,s1}) }
![Page 10: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/10.jpg)
a a
s0s1
Buchi condition { s2 }
a
a
s2
![Page 11: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/11.jpg)
-Buchi and coBuchi automata cannot be determinized
-Streett and Rabin automata can be determinized
nondeterministic Buchi =
deterministic Streett = deterministic Rabin =
nondeterministic Streett = nondeterministic Rabin =
omega-regular [Buchi 1960]
![Page 12: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/12.jpg)
Omega-automata are strictly more expressive than LTL
Omega-automata: omega-regular languages
LTL: counter-free omega-regular languages
![Page 13: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/13.jpg)
Omega-automata: omega-regular languages = second-order theory of monadic
predicates & successor = omega-regular expressions
LTL: counter-free omega-regular languages = first-order theory of monadic predicates & successor = star-free omega-regular expressions
![Page 14: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/14.jpg)
Structure of the Omega-Regular Languages
Streett = Rabin
Buchi coBuchi
FinitecoFinite
![Page 15: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/15.jpg)
Structure of the Counter-free Omega-Regular Languages
finite boolean combinations of and
![Page 16: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/16.jpg)
The location of a linear-time property in the Borel hierarchy indicates how hard (theoretically as well as conceptually) the corresponding model-checking problem is.
![Page 17: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/17.jpg)
finite boolean combinations of and
safety
weak fair
strong fair
response
![Page 18: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/18.jpg)
Model-Checking Algorithms = Graph Algorithms
![Page 19: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/19.jpg)
1 Safety:
-solve: STL (U model checking), finite monitors ( emptiness)
-algorithm: reachability (linear)
2 Response under weak fairness:
-solve: weakly fair CTL ( model checking), Buchi monitors ( emptiness)
-algorithm: strongly connected components (linear)
3 Liveness:
-solve: strongly fair CTL, Streett monitors ( ()
emptiness)
-algorithm: recursively nested SCCs (quadratic)
![Page 20: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/20.jpg)
From specification automata to monitor automata:
determinization (exponential) + complementation (easy)
Simulation automata:
preorder refinement (quadratic)
From LTL to monitor automata:
complementation (easy) + tableau construction (exponential)
![Page 21: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/21.jpg)
Five Algorithms
1 Reachability
2 Strongly connected components
3 Recursively nested SCCs
4 Tableau construction
5 Preorder refinement
6 Streett determinization
![Page 22: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/22.jpg)
Finite Emptiness
Given: finite automaton (S, S0, , , FA)
Find: is there a path from a state in S0 to a state in FA ?
Solution: depth-first or breadth-first search
![Page 23: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/23.jpg)
Application 1: STL model checking
Application 2: finite monitors
![Page 24: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/24.jpg)
Buchi Emptiness
Given: Buchi automaton (S, S0, , , BA)
Find: is there an infinite path from a state in S0 that visits some state in BA infinitely often ?
Solution: 1. Compute SCC graph by depth-first search
2. Mark SCC C as fair iff C BA
3. Check if some fair SCC is reachable from S0
![Page 25: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/25.jpg)
Application 1: CTL model checking over weakly-fair transition
graphs
(note: really need multiBuchi)
Application 2: Buchi monitors
![Page 26: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/26.jpg)
Streett Emptiness
Given: Streett automaton (S, S0, , , SA)
Find: is there an infinite path from a state in S0 that satisfies all Streett conditions (l,r) in SA ?
Solution: check if S0 RecSCC (S, , SA)
![Page 27: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/27.jpg)
function RecSCC (S, , SA) :
X := for each C SCC (S, ) do
F := if C then
for each (l,r) SA doif C r
then F := F (l,r) else C := C \ l
if F = SA then X := X pre*(C) else X := X RecSCC (C, C, F)
return X
![Page 28: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/28.jpg)
Complexity
n number of states m number of transitions s number of Streett pairs
Reachability: O(n+m)
SCC: O(n+m)
RecSCC: O((n+m) · s2)
![Page 29: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/29.jpg)
Application 1: CTL model checking over strongly-fair transition
graphs
Application 2: Streett monitors
![Page 30: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/30.jpg)
Tableau Construction
Given: LTL formula
Find: Buchi automaton M such that L(M) = L()
[Fischer & Ladner 1975; Manna & Wolper 1982]
![Page 31: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/31.jpg)
Fischer-Ladner Closure of a Formula
Sub (a) = { a }
Sub () = { } Sub () Sub ()
Sub () = { } Sub ()
Sub () = { } Sub ()
Sub (U) = { U, (U) } Sub () Sub ()
| Sub () | = O(||)
![Page 32: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/32.jpg)
s Sub () is consistent
iff
-if () Sub () then () s iff s and s
-if () Sub () then () s iff s
-if (U) Sub () then (U) s iff either s
or s and (U) s
![Page 33: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/33.jpg)
Tableau M = (S, S0, , , BA)
S ... set of consistent subsets of Sub ()
s S0 iff s
s t iff for all () Sub (), () s iff t
(s) ... conjunction of atomic observations in s and negated atomic observations not in s
For each (U) Sub (), BA contains { s | s or (U) s }
![Page 34: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/34.jpg)
Size of M is O(2||).
CTL model checking: linear / quadratic
LTL model checking: PSPACE-complete
![Page 35: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/35.jpg)
Preorder Refinement
Given: state-transition graph (Q, , A, [ ] )
Find: for each state q Q, the set sim(q) Q of states that
simulate q
[ Bloom & Paige; H, H, & Kopke 1995 ]
![Page 36: Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.](https://reader036.fdocuments.us/reader036/viewer/2022062304/56649e9e5503460f94ba0468/html5/thumbnails/36.jpg)
for each t Q do sim(t) := { u Q | [u] = [t] }
while there are three states s, t, u such thatt s & u sim(t) & sim(s) post(u) =
do
sim(t) := sim(t) \ {u}
{assert if u simulates t, then u sim(t) }