Title: Model Checking
1Model Checking Lecture 3 Tom Henzinger
2Model-Checking Problem
I S
System model
System property
3System Model
-state-transition graph -weak or strong
fairness constraints
4System Properties
Temporal logics -STL (finite runs) ??, ?U
-CTL (infinite runs) ??, ?U, ?? -LTL
(infinite traces) ?, U Automata -specificati
on automata (trace containment) -monitor
automata (trace emptiness) -simulation automata
(relation on finite runs)
5Acceptance Conditions
-finite automata ? -Buchi automata
?? -coBuchi automata ?? -Streett automata
? ( ?? ? ??) -Rabin automata ? ( ?? ? ??)
6Response specification automaton ? (a ? ?b)
assuming (a ? b) false
s1
a
?b
s2
s0
b
?a
s3
Buchi condition s0, s3
7Response monitor automaton ? (a ? ?b)
assuming (a ? b) false
a
?b
true
s0
s1
s2
Buchi condition s2
8?? a
a
?a
s1
s0
Buchi condition s0 No coBuchi condition
Streett condition (s0,s1, s0) Rabin
condition (?, s0)
9?? a
a
?a
s1
s0
No Buchi condition coBuchi condition s0
Streett condition (s1, ?) Rabin condition
(s1, s0,s1)
10?? a
a
?a
s1
s0
a
s2
Buchi condition s2
11-Buchi and coBuchi automata cannot be
determinized -Streett and Rabin automata can be
determinized
nondeterministic Buchi deterministic Streett
deterministic Rabin nondeterministic Streett
nondeterministic Rabin omega-regular Buchi
1960
12Omega-automata are strictly more expressive than
LTL
Omega-automata omega-regular languages LTL
counter-free omega-regular languages
?
13Omega-automata omega-regular languages
second-order theory of monadic predicates
successor omega-regular expressions LTL
counter-free omega-regular languages
first-order theory of monadic predicates
successor star-free omega-regular
expressions
?
14Structure of the Omega-Regular Languages
Streett Rabin
Buchi
Finite
coFinite
coBuchi
15Structure of the Counter-free Omega-Regular
Languages
finite boolean combinations of ?? and ??
??
?
?
??
16The location of a linear-time property in the
Borel hierarchy indicates how hard (theoretically
as well as conceptually) the corresponding
model-checking problem is.
17finite boolean combinations of ?? and ??
weak fair
safety
??
?
?
??
response
strong fair
18Model-Checking Algorithms Graph Algorithms
19- Safety
- -solve STL (?U model checking),
finite monitors (? emptiness) - -algorithm reachability (linear)
- Response under weak fairness
- -solve weakly fair CTL (?? model checking),
Buchi monitors (?? emptiness) - -algorithm strongly connected components
(linear) - Liveness
- -solve strongly fair CTL, Streett
monitors ( ? (?????) emptiness) - -algorithm recursively nested SCCs (quadratic)
20From specification automata to monitor
automata determinization (exponential)
complementation (easy)
From LTL to monitor automata complementation
(easy) tableau construction (exponential)
Simulation automata preorder refinement
(quadratic)
21Five Algorithms
- Reachability
- Strongly connected components
- Recursively nested SCCs
- Tableau construction
- Preorder refinement
- Streett determinization
22Finite Emptiness
Given finite automaton (S, S0, ?, ?, FA) Find
is there a path from a state in S0 to a state in
FA ?
Solution depth-first or breadth-first search
23Application 1 STL model checking Application
2 finite monitors
24Buchi Emptiness
Given Buchi automaton (S, S0, ?, ?, BA) Find
is there an infinite path from a state in S0 that
visits some state in BA infinitely often ?
Solution 1. Compute SCC graph by
depth-first search 2. Mark SCC C as fair iff
C ? BA ? ? 3. Check if some fair SCC is
reachable from S0
25Application 1 CTL model checking over
weakly-fair transition graphs (note
really need multiBuchi) Application 2 Buchi
monitors
26Streett Emptiness
Given Streett automaton (S, S0, ?, ?,
SA) Find is there an infinite path from a state
in S0 that satisfies all Streett conditions
(l,r) in SA ?
Solution check if S0 ? RecSCC (S, ?, SA) ? ?
27function RecSCC (S, ?, SA) X ? for
each C ? SCC (S, ?) do F ? if
?C ? ? then for each (l,r) ? SA
do if C ? r ? ? then F F ?
(l,r) else C C \ l if F SA
then X X ? pre(C) else X X
? RecSCC (C, ?C, F) return X
28Complexity
n number of states m number of
transitions s number of Streett pairs
Reachability O(nm) SCC O(nm) RecSCC O((nm
) s2)
29Application 1 CTL model checking over
strongly-fair transition graphs Application
2 Streett monitors
30Tableau Construction
Given LTL formula ? Find Buchi automaton
M? such that L(M?) L(?)
Fischer Ladner 1975 Manna Wolper 1982
31Fischer-Ladner Closure of a Formula
Sub (a) a Sub (???) ??? ? Sub (?) ?
Sub (?) Sub (??) ?? ? Sub (?) Sub (??)
?? ? Sub (?) Sub (?U?) ?U?, ?(?U?) ? Sub
(?) ? Sub (?)
Sub (?) O(?)
32s ? Sub (?) is consistent iff
-if (???) ? Sub (?) then (???) ?
s iff ? ? s and ? ? s -if (??) ? Sub (?)
then (??) ? s iff ? ? s -if
(?U?) ? Sub (?) then (?U?) ? s
iff either ? ? s or ? ? s and ?(?U?)
? s
33Tableau M? (S, S0, ?, ?, BA)
S ... set of consistent subsets of Sub (?) s ?
S0 iff ? ? s s ? t iff for all (??) ? Sub
(?), (??) ? s iff ? ? t ?(s) ...
conjunction of atomic observations in s and
negated atomic observations not in s For each
(?U?) ? Sub (?), BA contains s ?
? s or (?U?) ? s
34Size of M? is O(2?).
CTL model checking linear / quadratic LTL
model checking PSPACE-complete
35Preorder Refinement
Given state-transition graph (Q, ?, A,
) Find for each state q ? Q, the
set sim(q) ? Q of states that simulate q
Bloom Paige H, H, Kopke 1995
36for each t ? Q do sim(t) u ? Q u
t while there are three states s, t, u such
that t ? s u ? sim(t) sim(s) ? post(u)
? do sim(t) sim(t) \ u assert
if u simulates t, then u ? sim(t)