Four Lectures on Model Checking

1
Four Lectures on Model Checking
Tom Henzinger University of California, Berkeley
2
Four Lectures on Model Checking Lecture III
1 Eight model-checking problems logic vs.
automata, linear vs. branching, safety vs.
liveness 2 Finite-state systems six graph
algorithms for model checking 3 Infinite-state
systems from graph algorithms to symbolic
algorithms
3
Model-checking problem
I S
system model
system property
satisfaction relation
4
Three important decisions when choosing system
properties

• operational vs. declarative automata
  vs. logic
• may vs. must branching vs. linear
  time
• prohibiting bad vs. desiring good behavior
  safety vs. liveness

The three decisions are orthogonal, and they lead
to substantially different model-checking
problems.
5
Logics
Linear Branching Safety
STL Liveness LTL CTL
6
Automata
Safety finite automata Liveness omega automata
Linear language containment Branching simulatio
n
7
Automata
Safety finite automata Liveness omega automata
Linear language containment for word
automata Branching language containment for tree
automata
8
Specification Automata
Syntax, given a set A of atomic observations

• S finite set of states
• S0 ? S set of initial states
• ? S ? S transition relation
• S ? PL(A) where the formulas of PL are
• ? a ? ? ? ? ?
• for a ? A

9
Linear semantics of specification
automata language containment
(K,q) L M iff L(K,q) ? L(M)
state-transition graph
state of K
specification automaton
finite traces
10
Checking language containment between finite
automata is PSPACE-complete !
L(K,q) ? L(M) iff L(K,q) ? complement( L(M) )
?
involves determinization (subset construction)
11
In practice 1. require deterministic
specification automata 2. use monitor automata
3. use branching semantics
12
Monitor Automata
Syntax same as specification automata, except
also set E ? S of error states Semantics
define L(M) s.t. runs must end in error
states (K,q) C M iff
L(K,q) ? L(M) ?
13
Branching semantics of specification
automata simulation
states of K
(K,q) B M iff there exists a
simulation relation R ? Q ? S s.t. (q,s) ? R
for some initial state s of M
states of M
14

• R ? Q ? S is a simulation relation
• iff
• (q,s) ? R implies
• q ?(s)
• for all q s.t. q ? q , exists s
  s.t. s ? s and (q,s) ? R.

Milner 1974
15
Branching semantics of specification automata,
alternative definition trace-tree containment
(K,q) B M iff T(K,q) ? T(M)
finite trace trees
16
Branching semantics of specification automata,
alternative definition game model vs.
specification
(K,q) B M iff there exists a winning
strategy of M against (K,q)
17
Strategy G of M against (K,q) function from
finite runs of K that start in q to states of M
such that - G(?) ? S0 - if G(q0qn) s and
G(q0qn1) s', then s ? s'. G is winning if
- if G(q0qn) s, then qn s.
18
involves only traces (hence linear !)
(K,q) L M M language contains (K,q)
exponential check (K,q) B M M
simulates (K,q) quadratic check
X
? ?
involves states (hence branching !)
19
In practice, simulation is usually the right
notion. (If there is language containment, but
not simulation, this is usually accidental, not
by design.)
20
Omega Automata
-safety liveness (infinite runs
!) -specification vs. monitor automata -linear
(language containment) vs. branching
(simulation) semantics
21
Specification Omega Automata
Syntax as for finite automata,
in addition one of the following acceptance
conditions
Buchi BA ? S coBuchi CA ? S Streett SA ? 2S
? 2S Rabin RA ? 2S ? 2S
22
Language L(M) of specification omega-automaton M
(S, S0, ?, ?, A )
infinite trace t0, t1, ... ? L(M) iff there
exists an infinite run s0 ? s1 ? ... of M such
that 1. s0 ? s1 ? ... satisfies A 2. for all
i ? 0, ti ?(si)
23
Let Inf(s) p p si for infinitely many i
.
The infinite run s satisfies the acceptance
condition A iff Buchi Inf(s) ? BA ?
? coBuchi Inf(s) ? CA Streett for all (l,r) ?
SA, if Inf(s) ? l ? ? then Inf(s) ? r ?
? Rabin for some (l,r) ? RA, Inf(s) ? l
? and Inf(s) ? r ? ?
24
finite ? FA Buchi ?? BA coBuchi ??
CA Streett ? (??l ? ??r) Rabin ? (???l ?
??r)
25
Linear semantics of specification omega
automata omega-language containment
(K,q) L M iff L(K,q) ? L(M)
infinite traces
26
Response specification automaton ? (a ? ?b)
assuming (a ? b) false
s1
a
?b
s2
s0
b
?a
s3
Buchi condition s0, s3
27
Response monitor automaton ? (a ? ?b)
assuming (a ? b) false
a
?b
true
s0
s1
s2
Buchi condition s2
28
?? a
a
?a
s1
s0
Buchi condition s0 No coBuchi condition
Streett condition (s0,s1, s0) Rabin
condition (?, s0)
29
?? a
a
?a
s1
s0
No Buchi condition coBuchi condition s0
Streett condition (s1, ?) Rabin condition
(s1, s0,s1)
30
?? a
a
?a
s1
s0
a
s2
Buchi condition s2
31
-Buchi and coBuchi automata cannot be
determinized -Streett and Rabin automata can be
determinized
nondeterministic Buchi deterministic Streett
deterministic Rabin nondeterministic Streett
nondeterministic Rabin omega-regular Buchi
1960
32
Omega automata are strictly more expressive than
LTL.
Omega-automata omega-regular languages LTL
counter-free omega-regular languages
?
33
Omega automata omega-regular languages
second-order theory of monadic predicates
successor omega-regular expressions LTL
counter-free omega-regular languages
first-order theory of monadic predicates
successor star-free omega-regular
expressions
?
34
a
true
(?p) ( p ? ??p ? ?(p ? ??p) ? ?(p ? a)) (?p) (
p(0) ? ?p(1) ? (?t) (p(t) ? p(t2)) ?
(?t) (p(t) ? a(t))) (a true)?
35
Structure of the Omega-Regular Languages
Streett Rabin
Buchi
Finite
coFinite
coBuchi
36
Structure of the Omega-Regular Languages
Streett Rabin
Buchi
Finite
coFinite
coBuchi
counter-free
37
Structure of the Counter-free Omega-Regular
Languages
finite boolean combinations of ?? and ??
??
?
?
??
38
The location of a linear-time property in the
Borel hierarchy indicates how hard (theoretically
as well as conceptually) the corresponding
model-checking problem is.
39
finite boolean combinations of ?? and ??
weakly fair evty.
safety
??
?
?
??
strongly fair eventuality
40
Branching semantics of specification omega
automata infinite trace-tree containment
(K,q) L M iff L(K,q) ? L(M)
infinite trace trees
"Fair simulation" H, Kupferman, Rajamani 1997
41
Branching semantics of specification omega
automata, alternative definition game model vs.
specification
(K,q) B M iff there exists
a winning strategy of M against (K,q).
Strategy G is winning if - G(q0qn) qn -
for all infinite fair runs q0q1 of K,
G(q0) G(q0q1) G(q0q1q2) ? L(M).
42
B
a
a
b
b
b
c
c
c
d
d
d
43
a
B
a
b
c
b
c
d
d
d
d
44
Model-checking problem
I S
system model state-transition graph
system property -safety v. weak
v. strong fairness -logic v. spec v. monitor
automata -linear v. branching
45
Model-checking problem
I S
system model state-transition graph
system property -safety v. weak
v. strong fairness -logic v. spec v. monitor
automata -linear v. branching
easiest harder hard
46
Model-Checking Algorithms Graph Algorithms
47

• Safety
• -solve STL (?U model checking),
  finite monitors (? emptiness)
• -algorithm reachability (linear)
• Eventuality under weak fairness
• -solve weakly fair CTL (?? model checking),
  Buchi monitors (?? emptiness)
• -algorithm strongly connected components
  (linear)
• Liveness
• -solve strongly fair CTL, Streett
  monitors ( ? (?????) emptiness)
• -algorithm recursively nested SCCs (quadratic)

48
From specification automata to monitor
automata determinization (exponential)
complementation (easy)
From LTL to monitor automata complementation
(easy) tableau construction (exponential)
49
B1 Simulation relation refinement
(quadratic) B2 Weakly fair simulation
Buchi game (quadratic) B3 Strongly fair
simulation Streett game (quadratic in
structures,
exponential in fairness constraints)
50
Six Algorithms

• Reachability
• Strongly connected components
• Recursively nested SCCs
• Tableau construction
• Relation refinement
• Buchi games
• Streett games
• Streett determinization

51
Finite Emptiness
Given finite automaton (S, S0, ?, ?, FA) Find
is there a path from a state in S0 to a state in
FA ?
Solution depth-first or breadth-first search
52
Application 1 STL model checking Application
2 finite monitors
53
Buchi Emptiness
Given Buchi automaton (S, S0, ?, ?, BA) Find
is there an infinite path from a state in S0 that
visits some state in BA infinitely often ?
Solution 1. Compute SCC graph by
depth-first search 2. Mark SCC C as fair iff
C ? BA ? ? 3. Check if some fair SCC is
reachable from S0
54
Application 1 CTL model checking over
weakly-fair transition graphs (note
really need multiBuchi) Application 2 Buchi
monitors
55
Streett Emptiness
Given Streett automaton (S, S0, ?, ?,
SA) Find is there an infinite path from a state
in S0 that satisfies all Streett conditions
(l,r) in SA ?
Solution check if S0 ? RecSCC (S, ?, SA) ? ?
56
function RecSCC (S, ?, SA) X ? for
each C ? SCC (S, ?) do F ? if
?C ? ? then for each (l,r) ? SA
do if C ? r ? ? then F F ?
(l,r) else C C \ l if F SA
then X X ? pre(C) else X X
? RecSCC (C, ?C, F) return X
57
Complexity
n number of states m number of
transitions s number of Streett pairs
Reachability O(nm) SCC O(nm) RecSCC O((nm
) s2)
58
Application 1 CTL model checking over
strongly-fair transition graphs Application
2 Streett monitors
59
Tableau Construction
Given LTL formula ? Find Buchi automaton
M? such that L(M?) L(?)
monitors subformulas of ?
Fischer Ladner 1975 Manna Wolper 1982
60
Fischer-Ladner Closure of a Formula
Sub (a) a Sub (???) ??? ? Sub (?) ?
Sub (?) Sub (??) ?? ? Sub (?) Sub (??)
?? ? Sub (?) Sub (?U?) ?U?, ?(?U?) ? Sub
(?) ? Sub (?)
Sub (?) O(?)
61
s ? Sub (?) is consistent iff
-if (???) ? Sub (?) then (???)
? s iff ? ? s and ? ? s -if (??) ? Sub (?)
then (??) ? s iff ? ? s -if
(?U?) ? Sub (?) then (?U?) ? s
iff either ? ? s or ? ? s and ?(?U?)
? s
62
Tableau M? (S, S0, ?, ?, BA)
S ... set of consistent subsets of Sub (?) s ?
S0 iff ? ? s s ? t iff for all (??) ? Sub
(?), (??) ? s iff ? ? t ?(s) ...
conjunction of atomic observations in s and
negated atomic observations not in s For each
(?U?) ? Sub (?), BA contains s ?
? s or (?U?) ? s
63
? (?a) U (?b)
?, ?? ?a, ??a
?, ?? ?a, a
? ?b, b, ??b
64
? (?a) U (?b)
?, ?? ?a, ??a
?, ?? ?a, a
? ?b, b, ??b
? ?a, ??a ?b, b, ??b
? ?a, a ?b, b, ??b
?b, b, ??b
65
? (?a) U (?b)
?, ?? ?a, ??a
?, ?? ?a, a
? ?b, b, ??b
? ?a, ??a ?b, b, ??b
? ?a, a ?b, b, ??b
?b, b, ??b
?a, ??a ?b, b, ??b
?a, a ?b, b, ??b
66
? (?a) U (?b)
?, ?? ?a, ??a
?, ?? ?a, a
? ?b, b, ??b
? ?a, ??a ?b, b, ??b
? ?a, a ?b, b, ??b
?b, b, ??b
?a, ??a ?b, b, ??b
?a, a ?b, b, ??b
67
Size of M? is O(2?).
CTL model checking linear / quadratic LTL
model checking PSPACE-complete