Model Checking

1
Model Checking Lecture 2 Tom Henzinger
2
Model-Checking Problem
I S
System model
System property
3
System model State-transition graph
q1
a
b
a,b
q3
q2
States Q q1, q2, q3 Atomic observations
A a, b Transition relation ? ? Q ?
Q Observation function Q ? 2A
4
Run sequence of states q1,
q2 Observation set of atomic
observations Trace sequence of
observations a, a,b
5
System property 2x2x2 choices
-safety (finite runs) vs. liveness (infinite
runs) -linear time (traces) vs. branching time
(runs) -logic (declarative) vs. automata
(executable)
6
STL (Safe Temporal Logic)
-safety (only finite runs) -branching (runs, not
traces) -logic
7
Defining a logic

• Syntax
• What are the formulas?
• 2. Semantics
• What are the models?
• Does model M satisfy formula ? ?

M ?
8
Propositional logics 1. boolean variables
(a,b) boolean operators (?,?) 2. model
truth-value assignment for variables Propositio
nal modal (e.g. temporal) logics 1. ...
modal operators (?,?) 2. model set of
(e.g. temporally) related prop. models
9
Propositional logics 1. boolean variables
(a,b) boolean operators (?,?) 2. model
truth-value assignment for variables Propositio
nal modal (e.g. temporal) logics 1. ...
modal operators (?,?) 2. model set of
(e.g. temporally) related prop. models
observations
state-transition graph (Kripke structure)
10
STL Syntax
? a ? ? ? ? ? ?? ? ? ?U ?
boolean operators
boolean variable (atomic observation)
modal operators
11
STL Model
( K, q )
state-transition graph
state of K
12
STL Semantics
(K,q) a iff a ? q (K,q) ? ? ?
iff (K,q) ? and (K,q) ? (K,q)
?? iff not (K,q) ? (K,q)
?? ? iff exists q s.t.
q ? q and (K,q) ? (K,q) ? ?U ?
iff exist q0, ..., qn s.t. 1.
q q0 ? q1 ? ... ? qn 2. for all 0 ? i
lt n, (K,qi) ? 3. (K,qn)
?
13
Defined modalities

• ?? EX exists next
• ?? ? ????? AX forall next
• ?U EU exists until
• ?? ? true ?U ? EF exists eventually
• ?? ? ? ?? ?? AG forall always
• ?W? ? ( (??) ?U (?? ? ??))
• AW forall waiting-for
  (forall weak-until)

14
Important safety properties
Invariance ?? a Sequencing a ?W b
?W c ?W d a ?W
(b ?W (c ?W d))
15
Important safety properties mutex protocol
Invariance ?? ? (in_cs1 ?
in_cs2) Sequencing ?? ( req_cs1 ?
?in_cs2 ?W in_cs2 ?W ?in_cs2 ?W
in_cs1 )
16
Branching properties
Deadlock freedom ?? ?? true Possibility
?? (a ? ?? b)
?? (req_cs1 ? ??
in_cs1)
17
CTL (Computation Tree Logic)
-safety liveness -branching time -logic
Clarke Emerson Queille Sifakis 1981
18
CTL Syntax
? a ? ? ? ? ? ?? ? ? ?U ?
???
19
CTL Model
( K, q )
fair state-transition graph
state of K
20
CTL Semantics
(K,q) ?? ? iff exist q0, q1, ...
s.t. 1. q
q0 ? q1 ? ... is an infinite fair run
2. for all i ? 0, (K,qi) ?

21
Defined modalities

• ?? EG exists always
• ?? ? ????? AF forall
  eventually
• ?W? (? ?U ?) ? (?? ?)
• ?U ? (? ?W ?) ? (???)

22
Important liveness property
Response ?? (a ? ?? b) ?? (req_cs1 ? ??
in_cs1)
23
If only universial properties are of
interest, why not omit the path quantifiers?
24
LTL (Linear Temporal Logic)
-safety liveness -linear time -logic
Pnueli 1977 Lichtenstein Pnueli 1982
25
LTL Syntax
? a ? ? ? ? ? ? ? ? U ?
26
LTL Model
infinite trace t t0 t1 t2 ...
27
Language of deadlock-free state-transition graph
K at state q L(K,q) ... set of infinite
traces of K starting at q
(K,q) ?? iff for all t ? L(K,q),
t ? (K,q) ?? iff exists t ?
L(K,q), t ?
28
LTL Semantics
t a iff a ? t0 t ? ? ? iff
t ? and t ? t ?? iff
not t ? t ? ? iff t1
t2 ... ? t ? U ? iff exists n ? 0
s.t. 1. for all 0 ? i lt n, ti ti1 ...
? 2. tn tn1 ... ?
29
Defined modalities

• ? X next
• U U until
• ? ? true U ? F eventually
• ? ? ? ? ?? G always
• W? (? U ?) ? ?? W waiting-for
  (weak-until)

30
Important properties
Invariance ? a ? ?
(in_cs1 ? in_cs2) Sequencing a W b W
c W d ? ( req_cs1
? ?in_cs2 W in_cs2 W
?in_cs2 W in_cs1 ) Response ? (a ? ? b)
? (req_cs1 ? ? in_cs1)
31
Composed modalities
?? a infinitely often a ?? a almost always a
32
Where did fairness go ?
33
Unlike in CTL, fairness can be expressed in LTL
! So there is no need for fairness in the model.
Weak (Buchi) fairness ? ?? (enabled ? ? taken
) ?? (enabled ? taken) Strong (Streett)
fairness ( ?? enabled ) ? ( ?? taken )
34
Starvation freedom, corrected
?? (in_cs2 ? out_cs2) ? ? (req_cs1 ? ?
in_cs1)
35
CTL cannot express fairness
??? a ? ?? ?? a ??? b ? ?? ?? b
q1
q0
q2
a
a
b
36
LTL cannot express branching
Possibility ?? (a ? ?? b)
So, LTL and CTL are incomparable. (There are
branching logics that can express fairness, e.g.
CTL CTL LTL, but they lose the computational
attractiveness of CTL.)
37
Finite Automata
-safety (no infinite runs) -linear or branching
time -automata (not logic)
38
Specification Automata
Syntax, given a set A of atomic observations

• S finite set of states
• S0 ? S set of initial states
• ? S ? S transition relation
• S ? PL(A) where the formulas of PL are
• ? a ? ? ? ? ?
• for a ? A

39
Language L(M) of specification automaton M (S,
S0, ?, ? )
finite trace t0, ..., tn ? L(M) iff there
exists a finite run s0 ? s1 ? ... ? sn of
M such that for all 0 ? i ? n, ti ?(si)
40
Linear semantics of specification
automata language containment
(K,q) L M iff L(K,q) ? L(M)
state-transition graph
state of K
specification automaton
finite traces
41
Invariance specification automaton

• in_cs1
• ?
• in_cs2

42
Starvation freedom specification automaton
req_cs1 ? ?in_cs2
req_cs1 ? in_cs2
out_cs1
req_cs1 ? ?in_cs2
in_cs1
43
Automata are more expressive than logic, because
temporal logic cannot count
a
true
This cannot be expressed in LTL. (How about a ?
? (a ??? a) ?)
44
Checking language containment between finite
automata is PSPACE-complete !
L(K,q) ? L(M) iff L(K,q) ? complement( L(M) )
?
involves determinization (subset construction)
45
In practice 1. require deterministic
specification automata 2. use monitor automata
3. use branching semantics
46
Monitor Automata
Syntax same as specification automata, except
also set E ? S of error states Semantics
define L(M) s.t. runs must end in error
states (K,q) C M iff
L(K,q) ? L(M) ?
47
Invariance monitor automaton

• in_cs1
• ?
• in_cs2

in_cs1 ? in_cs2
48
Starvation freedom monitor automaton
req_cs1 ? ?in_cs2
req_cs1 ? in_cs2
out_cs1
req_cs1 ? in_cs2
req_cs1 ? ?in_cs2
in_cs1
49
Specification automaton Monitor automaton
M
complement(M) -describe correct
traces -describe error traces -check language
containment -check emptiness (linear)
(exponential) reachability of error
states
All safety verification is reachability
checking.
50
Main problem with deterministic specifications
and monitor automata not suitable for stepwise
refinement / abstraction
S1 S2 S3
refines
51
In practice 1. require deterministic
specification automata 2. use monitor automata
3. use branching semantics
52
Branching semantics of specification
automata simulation
states of K
(K,q) B M iff there exists a
simulation relation R ? Q ? S s.t. (q,s) ? R
for some initial state s of M
states of M
53

• R ? Q ? S is a simulation relation
• iff
• (q,s) ? R implies
• q ?(s)
• for all q s.t. q ? q , exists s
  s.t. s ? s and (q,s) ? R.

Milner 1974
54
involves only traces (hence linear !)
(K,q) L M M language contains (K,q)
exponential check (K,q) B M M
simulates (K,q) quadratic check
X
? ?
involves states (hence branching !)
55
In practice, simulation is usually the right
notion. (If there is language containment, but
not simulation, this is usually accidental, not
by design.)
56
Finite Omega-Automata
-safety liveness (infinite runs !) -linear or
branching time -automata (not logic)
57
-specification vs. monitor automata -linear
(language containment) vs. branching
(simulation) semantics
We discuss only the linear specification case.
58
Specification Omega-Automata
Syntax as for finite automata,
in addition one of the following acceptance
conditions
Buchi BA ? S coBuchi CA ? S Streett SA ? 2S
? 2S Rabin RA ? 2S ? 2S
59
Language L(M) of specification omega-automaton M
(S, S0, ?, ?, A )
infinite trace t0, t1, ... ? L(M) iff there
exists an infinite run s0 ? s1 ? ... of M such
that 1. s0 ? s1 ? ... satisfies A 2. for all
i ? 0, ti ?(si)
60
Let Inf(s) p p si for infinitely many i
.
The infinite run s satisfies the acceptance
condition A iff Buchi Inf(s) ? BA ?
? coBuchi Inf(s) ? CA Streett for all (l,r) ?
SA, if Inf(s) ? l ? ? then Inf(s) ? r ?
? Rabin for some (l,r) ? RA, Inf(s) ? l
? and Inf(s) ? r ? ?
61
Buchi ?? BA coBuchi ?? CA Streett ? (??l ?
??r) Rabin ? (???l ? ??r)
62
Linear semantics of specification
omega-automata omega-language containment
(K,q) L M iff L(K,q) ? L(M)
infinite traces
63
Response specification automaton ? (a ? ?b)
assuming (a ? b) false
s1
a
?b
s2
s0
b
?a
s3
Buchi condition s0, s3
64
?? a
a
?a
s1
s0
Buchi condition s0 No coBuchi condition
Streett condition (s0,s1, s0) Rabin
condition (?,s0)
65
?? a
a
?a
s1
s0
No Buchi condition coBuchi condition s0
Streett condition (s1, ?) Rabin condition
(s1, s0,s1)
66
?? a
a
?a
s1
s0
a
s2
Buchi condition s2
67
-Buchi and coBuchi automata cannot be
determinized -Streett and Rabin automata can be
determinized
nondeterministic Buchi deterministic Streett
deterministic Rabin nondeterministic Streett
nondeterministic Rabin omega-regular Buchi
1960
68
Omega-automaton determinization is even harder
(conceptually, at least) than finite-automaton
determinization Safra 1989. So monitor
automata and simulation are particularly
important.
69
Omega-automata are strictly more expressive than
LTL
Omega-automata omega-regular languages LTL
counter-free omega-regular languages
?
70
Omega-automata omega-regular languages
second-order theory of monadic predicates
successor omega-regular expressions LTL
counter-free omega-regular languages
first-order theory of monadic predicates
successor star-free omega-regular
expressions
?
71
Structure of the omega-regular languages
Streett Rabin
Buchi
Finite
coFinite
coBuchi
72
Structure of the counter-free omega-regular
languages
positive boolean combinations of ?? and ??
??
?
?
??
73
The location of a linear-time property in the
Borel hierarchy indicates how hard (theoretically
as well as conceptually) the corresponding
model-checking problem is.
74
positive boolean combinations of ?? and ??
weak fair
safety
??
?
?
??
response
strong fair