Tutorial I

1
Tutorial I An Introduction to Model Checking

• Peng WU
• INRIA Futurs
• LIX, École Polytechnique

2
Outline

• Model Checking
• Temporal Logic
• Model Checking Algorithms
• Symbolic Model Checking
• Advanced Topics
• Symmetry Reduction
• Partial-Order Reduction
• Infinite Model Checking

3
Principles
Answer Yes, if the model satisfies the
specification Counterexample, otherwise
Model (System Requirements)

• Increase our confidence in the correctness of the
  model
• The model satisfied enough system properties
• Study counterexamples, pinpoint the source of the
  error, correct the model, and try again

Model Checker
Specification (System Property)
4
Kripke Model

• Kripke Structure Labeling Function
• Let AP be a non-empty set of atomic propositions.
  
• Kripke Model M (S, s0, R, L)
• S finite set of states
• s0?S initial state
• R?S ? S transition relation
• L S?2AP labeling function

5
Temporal Logics

• Express properties of event orderings in time

• Linear Time
• Every moment has a unique successor
• Infinite sequences (words)
• Linear Temporal Logic (LTL)

• Branching Time
• Every moment has several successors
• Infinite tree
• Computation Tree Logic (CTL)

6
Linear Temporal Logic

• (Path) Formulas
• p atomic proposition
• ?p, p?q, p?q
• Op, ?p, ??p, pUq, pRq
• Semantics
• M, ? p if p?L(?0)
• M, ? ?p if not M, ? p
• M, ? p?q if M, ? p and M, ? q
• M, ? p?q if M, ? p or M, ? q

7
LTL

• Semantics
• M, ? Op if M, ?1 p
• M, ? ??p if ?i0 M, ?i p
• M, ? ?p if ?i0 M, ?i p
• M, ? pUq if ?i0 M, ?i q and ?jlti M,
  ?j p
• M, ? pRq if ?i0 M, ?i q or ?i0
  M, ?i p and ?ji M, ?j q

M p if ????(M) M, ? p
8
LTL

• ??p
• ?p
• pUq
• pRq

9
LTL Satisfiability

• The satisfiability problem of LTL is
  PSPACE-complete.
• If a LTL formula is satisfiable, then the formula
  is satisfiable by a finite kripke model.
• LTL Model Checking PSAPCE-complete

10
LTL Model Checking

• ?-Regular Languages
• ?-Automata
• Finite states
• Representing infinite executions
• Büchi Automata
• ltS, S, ?, I, L, F gt
• ltAP, S, R , s0, Lgt - Kripke Model

M p iff L(MA) ? L(pA) iff L(MA??pA)?
11
LTL Model Checking

• We can build a Büchi automaton which accepts all
  and only the infinite traces represented by an
  LTL formula.
• The Büchi automaton is exponential in the size of
  the formula.
• The complexity of model checking is proportional
  to the size of the automaton.

12
Computation Tree Logic

• (State) Formulas
• p - atomic proposition
• ?p, p?q, p?q
• AXp, EXp, AFp, EFp, AGp, EGp
• A(pUq), E(pUq), A(pRq), E(pRq)

13
CTL Semantics

• M, s p if p?L(s)
• M, s ?p if not M, s p
• M, s p?q if M, s p and M, s q
• M, s p?q if M, s p or M, s q
• M, s Ap if ????(s) M, ? p
• M, s Ep if ????(s) M, ? p

14
CTL Semantics

• M, ? Xp if M, ?1 p
• M, ? Fp if ?i0 M, ?i p
• M, ? Gp if ?i0 M, ?i p
• M, ? pUq if ?i0 M, ?i q and ?jlt i
  M, ?j p
• M, ? pRq if ?i0 M, ?i q or
  ?i0 M, ?i p and ?ji M, ?j q

M p if M, s0 p
15
CTL Satisfiability

• The satisfiability problem of CTL is
  EXPTIME-complete.
• If a CTL formula is satisfiable, then the formula
  is satisfiable by a finite kripke model.
• CTL Model Checking O(p(SR))

16
Equivalence

• EXp EGp E(pUq)
• --------------------------------------------------
  -
• AXp ? ?EX?p
• AFp ? ?EG?p
• AGp ? ?EF?p
• A(pRq) ? ?E(?pU?q)
• A(pUq) ? ?E(?pR?q)
• EFp ? E(true U p)
• E(pRq) ? E(qU(p?q))?EGq

17
CTL Model Checking

• Six Cases
• p is an atomic proposition
• p ?q
• p q?r
• p EXq
• p EGq
• p E(qUr)
• Extension of L L S ?2AP ?subformulas of p

18
CTL Model Checking

• p is an atomic proposition
• L(s) L(s)
• p ?q
• L(s) L(s) ? p if q?L(s)
• p q?r
• L(s) L(s) ? p if q?L(s) or r?L(s)
• p EX q
• L(s) L(s) ? p if ?(s,s)?R q?L(s)

19
E(qUr)

• procedure checkEU(q,r)
• T s r ? L(s)
• for (all s ?T) do L(s) L(s) ? p
• while (T??) do
• choose s ?T
• T T \ s
• for (all t such that R(t,s)) do
• if (p ? L(t) and q ? L(t)) then
• L(t) L(t) ? p
• T T ? t

q
BFS
r
20
Example E(qUr)
q
r
q
q
q
q,r
21
EGq

• procedure checkEG(q)
• S s q ? L(s)
• SCC C C is a non-trivial SCC of S
• T s s ? some C of SCC
• for (all s ?T) do L(s) L(s) ? p
• while (T??) do
• choose s ?T
• T T \ s
• for (all t such that t ? S and R(t,s)) do
• if (p ? L(t)) then
• L(t) L(t) ? p
• T T ? t

q
SCC
EG q
SCC
SCC
22
Example EGq
q
r
q
q
q
q,r
23
CTL

• State Formulas
• p atomic proposition
• ?p, p?q, p?q
• Ap, Ep if p is a path formula
• Path Formulas
• p if p is a state formula
• ?p, p?q, p?q
• Xp, Fp, Gp, pUq, pRq

24
CTL Semantics State Formulas

• M, s p if p?L(s)
• M, s ?p if not M, s p
• M, s p?q if M, s p and M, s p
• M, s p?q if M, s p or M, s p
• M, s Ap if ????(s) M, ? p
• M, s Ep if ????(s) M, ? p

25
CTL Semantics Path Formulas

• M, ? p if M, ?0 p (p is a state
  formula)
• M, ? ?p if not M, ? p
• M, ? p?q if M, ? p and M, ? q
• M, ? p?q if M, ? p or M, ? q

26
CTL Semantics Path Formulas

• M, ? Xp if M, ?1 p
• M, ? Fp if ?i0 M, ?i p
• M, ? Gp if ?i0 M, ?i p
• M, ? pUq if ?i0 M, ?i q and ?jlt i
  M, ?j p
• M, ? pRq if ?i0 M, ?i q or
  ?i0 M, ?i p and ?ji M, ?j q

For a state formula p M p if M, s0 p
27
CTL Satisfiability

• The satisfiability problem of CTL is
  2EXPTIME-complete.
• If a CTL formula is satisfiable, then the
  formula is satisfiable by a finite kripke model.
• CTL Model Checking PSAPCE-complete

28
Extended Kripke Model

• Kripke Model (S, s0, R, L)
• S finite set of states
• s0?S initial state
• R?2S ? S finite set of transition relations
• L S?2AP labeling function
• Let a?S?S range over transition relations in R
• sas (s,s)?a

29
Modal ?-Calculus

• (State) Formulas
• p atomic proposition
• ?p, p?q, p?q
• ap, ?a?p
• X proposition variable
• ?X.p, ?X.p if all occurrences of X is under an
  even number of negations
• Syntactic Monotonicity

30
Alternation Depth

• top-level ?(?)-subformula
• NOT contained within any other greatest(least)
  fixpoint subformula
• Alternation Depth d
• d(p)d(?p)d(X)0
• All negations are applied to propositions.
• d(p?q)d(p?q)max(d(p),d(q))
• d(ap)d(?a?p)d(p)
• d(?X.p)max(1, d(p), 1max(,d(qi),)), where qi
  is a top-level ?-subformula
• d(?X.p)max(1, d(p), 1max(,d(qi),)) , where qi
  is a top-level ?-subformula

31
Modal ?-Calculus - Semantics

• M, s V p if p?L(s)
• M, s V ?p if not M, s V p
• M, s V p?q if M, s V p and M, s V p
• M, s V p?q if M, s V p or M, s V p
• M, s V ap if ?s?sa M, s V p
• M, s V ?a?p if ?s?sa M, s V p
• M, s V X if s?V (X)
• M, s V ?X.p if M, s V p?X.p /X?
• M, s V ?X.p if M, s V p?X.p /X?

32
Global Model Checking

• Denotation Semantics
• SV (p) s p?L(s)
• SV (?p) S SV (p)
• SV (p?q) SV (p) ? SV (q)
• SV (p?q) SV (p) ? SV (q)
• SV (ap) s ?s?sa s?SV (p)
• SV (?a?p) s ?s?sa s?SV (p)
• SV (X) V (X)
• SV (?X.p) ?W?S W?SV X?W(p)
• SV (?X.p) ?W?S SV X?W(p)?W
• Tarski-Knaster Theorem

33
Global Model Checking

• Global Model Checking
• M, s p if s?SV (p)
• F(W) SV X?W(p)
• ?X.p
• S, F(S), F2(S),, Fi(S)Fi1(S)
• ?X.p
• ?, F(?), F2(?),, Fi(?)Fi1(?)
• O(p(SR)Sk)
• k nesting depth
• Emerson-Lei O(p(SR)(pS)d)

34
Local Model Checking

• Extension of Modal ?-Calculus
• ?XW.p
• ?X.p ? ?X?.p
• Let F be a function on 2S, P??X.F(X) iff
  P?F(?X.(P?F(X)))
• M, s V ?XW.p if
• s?W or, if not, M, s V p?XW?s.p/X
• Tableau System
• Fixpoint Equation System

35
Modal ?-Calculus Satisfiability

• The satisfiability problem of modal ?-calculus is
  EXPTIME-complete.
• If a modal ?-calculus formula is satisfiable,
  then the formula is satisfiable by a finite
  kripke model.
• Modal ?-Calculus Model Checking O(?)

36
Symbolic Model Checking

• State Space Explosion Problem
• Reduce memory requirement by utilizing compact
  representations of states/transitions
• Boolean formulas represent sets and relations
• Use fixed point characterizations of CTL operators

37
Ordered Binary Decision Diagram (OBDD)
a1
1
0
b1
b1
0
1
0
1
a2
a2
a2
a2
0
1
1
0
0
1
1
0
b2
b2
b2
b2
b2
b2
b2
b2
0
0
1
1
0
0
1
1
0
0
1
1
0
0
1
1
0
0
1
1
0
0
0
0
0
0
0
0
1
0
0
1
(a1 ? b1) ? (a2 ? b2)
38
Reduced OBDD
a1
1
0
b1
b1
0
1
0
1
a2
a2
a2
a2
0
1
1
0
0
1
1
0
b2
b2
b2
b2
b2
b2
b2
b2
0
0
1
1
0
0
1
1
0
0
1
1
0
0
1
1
0
0
1
1
0
0
0
0
0
0
0
0
1
0
0
1

• (a1 ? b1) ? (a2 ? b2)

39
Reduced Ordered BDD
a1
1
0
b1
b1
0
1
0
1
a2
a2
a2
0
1
0
1
1
0
b2
b2
b2
b2
b2
b2
0
0
1
1
0
1
0
0
1
1
0
1
0
0
1
1
0
0
0
0
0
1
0
0
1

• (a1 ? b1) ? (a2 ? b2)

40
Reduced Ordered BDD
a1
1
0
b1
b1
0
1
0
1
a2
a2
0
1
1
0
b2
b2
b2
b2
0
1
0
1
0
1
0
1
0
0
1
1
0
1
0
0
1

• (a1 ? b1) ? (a2 ? b2)

41
Reduced Ordered BDD
a1
1
0
b1
b1
1
0
0
1
a2
0
1
b2
b2
0
1
0
1
0
1
0
0
1

• (a1 ? b1) ? (a2 ? b2)

42
Reduced Ordered BDD
a1
1
0
b1
b1
1
0
1
a2
0
0
1
b2
b2
0
1
0
1
0
1

• (a1 ? b1) ? (a2 ? b2)

43
Representation for States

• States as Boolean Formulas
• 2m states encoded by m proposition variables
• State - conjunction of proposition or negative
  proposition
• Set of States conjunction of state (encoding)
  formula
• Example m 2, Ss1,s2,s3,s4
• Proposition Variables a, b
• S00, 01, 10, 11?a??b, ?a? b, a??b, a?b
• s1,s200, 01(?a??b)?(?a?b)

44
Representation for Transitions

• Transitions as Boolean Formulas
• (s, s) encoded by two sets of proposition
  variables
• Transition conjunction of s and s
• Set of Transitions conjunction of transition
  (encoding) formula
• Example
• (s4,s3) (11, 10) a?b?a??b

45
Symbolic Model Checking

• Atomic Propositions
• ROBDD(p) s p?L(s)
• ROBDD(?p) reversion of ROBDD(p)
• ROBDD(p?q) ROBDD (p)?ROBDD(q)
• ? is ? or ?
• ROBDD(EXp(v)) ?vp(v)?R(v, v)
• (E(pUq)) ?Z.q?(p?EX Z)
• (EGp) ?Z.p?EX Z

46
Genealogy
Floyd/Hoare late 60s
Aristotle 300s BCE Kripke 59
Logics of Programs
Temporal/ Modal Logics
Büchi, 60
Tarski
50s
Pnueli late 70s
w-automata S1S
Clarke/Emerson Early 80s
Park, 60s
m-Calculus
Vardi/Wolper
Kurshan
mid 80s
CTL Model Checking
Bryant, mid 80s
LTL Model Checking
ATV
QBF
BDD
Symbolic Model Checking
late 80s
47
Anything Else?

• Model Checking
• Temporal Logic
• Model Checking Algorithms
• Symbolic Model Checking
• Advanced Topics
• Symmetry Reduction
• Partial Order Reduction
• Infinite Model Checking

48
Symmetry Reduction

• If state space is symmetric, explore only a
  symmetric quotient of the state space
• A permutation ? is an automorphism of M if for
  any s1,s2?S, R(s1,s2) ? R(?(s1), ?(s2))
• G is an automorphism group for M iff every
  permutation ??G is an automorphism of M.
• An automorphism group G is an invariance group
  for an atomic proposition p iff for any ??G, s?S,
  p?L(s) ? p?L(?(s))

49
Quotient Models

• G Automorphism Group
• Orbit - ?(s) t ???G ?(s)t
• MG(SG, ?(s0), RG, LG)
• SG?(s) s?S
• RG(?(s1), ?(s2)) (s1, s2)?R
• LG(?(s))L(rep(?(s))) representative
• If G is an invariance group for all the atomic
  propositions occurring in a CTL formula p, then
  M, s p iff MG, ?(s) p
• The orbit problem is as hard as the Graph
  Isomorphism problem, which is in NP.

50
Partial Order Reduction

• Reduce the number of interleavings of independent
  concurrent transitions
• Enabledness Commutativity

s
s
s
a
b
a
b
a
s2
s2
s1
s1
s1
a
b
b
b
r
r
r
No Reductions
Transitions Reduced
States Reduced
51
Stuttering Equivalence

• Let M and M be two stuttering equivalent
  structures. For every LTL_X property p, M, s p
  iff M, s p

52
Infinite Model Checking

• Verification of Infinite Systems
• Unbounded Data Structures
• Data Manipulations on Infinite Data Domains, e.g
  integer counters
• Asynchronous (Lossy) Channel Systems unbounded
  FIFO queues
• Timed Automata - real-valued clocks
• Unbounded Control Structures
• (Recursive) Procedure Call - unbounded stacks
  (Pushdown Automata)
• Parameterized Systems any number of processes
• Dynamic Creation of Processes, Mobility
• Abstract Representation
• Regular Sets, Time Zones,
• More techniques involved
• Constraint Programming, Deductive Verification,
• AVIS - International Workshop on Automated
  Verification of Infinite-State Systems

53
Still More

• Abstraction
• Compositional Verification
• Software Model Checking
• VeriSoft, SLAM, JPF
• Probabilistic Model Checking