Model Checking II

1
Model Checking II

• How CTL model checking works

2
CTL

• A E X F
  G U
• Model checking problem
• Determine M, s0 f
• Or find all s s.t. M, s f

3

• Need only the boolean connectives (? , ? ) and
• E X F G
  U
• define others
• e.g.
• AG p ? ? EF ?p
• A(p U q) ? ? E(? q U ? p ? q)
• ? EG(? q)
• (Could skip EF and define in terms of EU, but
  hopefully seeing how EF is done aids
  understanding)

4
Explicit state model checking

• Option 1 CES (original
  paper)
• Represent state transition graph explicitly
• Walk around marking states
• Graph algorithms involving strongly connected
  components etc.
• Not covered in this course (cf. SPIN)
• Used particularly in software model checking

5
Symbolic MC

• Option 2 McMillan et al
• because of
• STATE EXPLOSION problem
• State graph exponential in program/circuit size
• Graph algorithms linear in state graph size
• INSTEAD
• Use symbolic representation of both sets of
  states
• and of state transtion graph

6
Symbolic MC

• Sets of states
  formulas
• relations between states
  (BDDs)
• Fixed point characerisations of CTL ops
• NO explicit state graph

7
A state

• Vector of boolean variables
• (v1,v2,v3, ., vn) ? 0,1n

8
Boolean formulas

• (x ? y) ? z (? is
  exclusive or)
• (1 ? 0) ? 0 1
• assignment x1,y0,z0 gives answer 1
• is a model or satisfying assignment
• Write as 100
• Exercise Find another model

9
Boolean formulas

• (x ? y) ? z
• (1 ? 1) ? 0 0
• assignment x1,y1,z0 is not a model

10

• Formula is a tautology if ALL assignments are
  models and is contradictory if NONE is.

11
Boolean formulas

• For us, interesting formulas are somewhere in
  between some assignments are models, some not
• IDEA A formula can represent a set of states
  (its models)

12

• 
  false
• 111 x ?
  y ? z
• 101 x ?
  ?y ? z
• 111,101 x ? z
• .
• .
• 000,001, , 111 true

13
Example

• (x ? y) ? z represents 100,010,001,111
• for states of the form xyz
• Exercise Find formulas (with var. names x,y,z)
  for the sets
• 100
• 110,100,010,000

14
What is needed now?

• A good data structure for boolean formulas
• Binary Decision Diagrams (BDDs)
• Lee (Bell Systems Tech. Journal 59)
• Akers (IEEE Trans. Comp 78)
• Bryant (IEEE Trans. Comp. 86, most cited CS
  paper!)
• see also Bryants document about a Hitachi patent
  from 93
• McMillan saw application to symbolic MC

15
Binary Decision Diagrams

• Canonical form (constant time comparison)
• Polynomial algorithms for and, or, not etc.
• Exponential but practically efficient algorithm
  for boolean quantification (even of sets of
  variables)
• Read Hus excellent tutorial paper (See Course
  Literature)
• (Presentation based on lecture notes by Ken
  McMillan)

16
Ordered Decision Tree
ab cd (a?b) ? (c?d)
a
0 1
b
b
0 1 0
1
c
c
c
c
0 1 0 1 0 1
0 1
d
d
d
d
d
d
d
d
0 0 0 1 0 0 0 1 0 0 0
1 1 1 1 1
17
To get OBDD

• Combine isomorphic subtrees
• Eliminate redundant nodes (those with identical
  children)
• Tree becomes a graph

18
(O)BDD
ab cd (a?b) ? (c?d)
a
1
0
b
0
c
1
d
0
0
1
0 1
19
Make BDD for
(x ? y) ? z
20
Combinational equivalence checking
For two circuits with single boolean outputs,
make BDDs for each circuit and see if they are
the same Of course the BDDs are built up by
application of BDD construction functions and,
or, not etc. NOT by making decision tree and
then reducing
21
BDDs

• Many formulas (and circuits) have small
  representations
• -Some do not! Multipliers
• - BDD representation of a function can vary
  exponentially in size depending on variable
  ordering users may need to play with variable
  orderings (less automatic)
• Good algorithms and packages (e.g. CUDD)
• EXTREMELY useful in practice
• - Size limitations a big problem

22
Represent a set of states

• Just make the BDD for a corresponding formula!

23
Represent a transition relation R

• Remember that R is just
• a set of pairs of states
• Use two sets of variables, v and v (with the
  primed variables representing next states)
• Make a formula involving both v and v and from
  that a BDD bdd(R,(v,v))

24
What set of states can we reach from set P in one
step?
R

R
R
R
P
Image(P,R) t ? ?s s ? P ? s R t
25
Forward Image
R

R
R
R
P
Image(P,R) t ? ?s s ? P ? s R t
bdd(Image(P,R),v) ? v bdd(P,v) ?
bdd(R,(v,v))
26
Backward image

R
R
R
R
Q
s ? ?t t ? Q ? s R t
bdd(Image-1(Q,R),v) v bdd(Q,v) ?
bdd(R,(v,v))
?
27
So far

• BDDs for
• sets of states
• transition relation
• calculating forward or backward image of a set
• Need one last idea iteration to a fixed point
  based on recursive description of CTL ops

28
Symbolic MC of CTL

• Compute set of states satisfying a formula
  recursively (and use BDDs as rep.)
• consider ? , ? , EX, EF, EG, EU
• define others

29

• CTL formula f H(f) set of states
• 
  satisfying f
• a (atomic) L(a)
  (cf.Lars)
• ?p S
  H(p)
• p ? q H(p)
  ? H(q)
• EX p
  familiar ?

30

• CTL formula f H(f) set of states
• 
  satisfying f
• EX p
  Image-1(H(p),R)

31

• CTL formula f bdd for set of states
  satisfying f
• EX p ? v bdd(p,v) ? bdd(R,(v,v))
  

32
Remaining operators

• Recursive characterisation
• EF p ? p ? EX (EF p)

33
CTL

• EF p ? p ? EX (EF p)
• Start with the empty set of states, , as a first
  guess, and improve it by applying
• p ? EX (.) to it

34
Fixed point iteration (formulas)

• S0 false
• S1 p ? EX (false) p
• S2 p ? EX (p)
• S3 p ? EX (p ? EX (p))
• and so on
• Will eventually terminate. Why?

35
Now think sets

• S0 Ø empty set of states
• S1 H(p) ? Image-1(Ø,R) H(p)
• S2 H(p) ? Image-1(H(p),R)
• Si1 H(p) ? Image-1(Si,R)
• Will eventually terminate. Why?

36
Fixed point iteration
P
37
Fixed point iteration

p ? EX p
P
38
Fixed point iteration

p ? EX (p ? EX p)
P
39
Fixed point iteration

Evetually stops!
P
. . . .
40
LEAST fixed point

• Started with a small set (empty, indeed) and made
  it larger.
• All ok because
• F(B) H(p) ? Image-1(B,R) is monotonic
• (i.e. if B ? B then F(B) ? F(B))
• Write least y s.t. y F(y) as ?y.F(y)

41
EG

• EG p ? p ? EX (EG p)
• This time need to work downwards

42
Fixed point iteration (formulas)

• S0 true
• S1 p ? EX (true)
• S2 p ? EX (p ? EX (true) )
• and so on
• Will eventually terminate. Why?

43
Now think sets

• S0 S the entire set of states
• S1 H(p) ? Image-1(S,R)
• S2 H(p) ? Image-1(H(p) ? Image-1(S,R) ,R)
• Si1 H(p) ? Image-1(Si,R)
• Will eventually terminate.

44
Greatest fixed point

• EG p ? p ? EX (EG p)
• H(EG p)
• ?y. H(p) ? Image-1(y,R)

45
EG

• EG p ? p ? EX (EG p)
• H(EG p)
• ?y. H(p) ? Image-1(y,R)
• NB We can do all of these operations using
  BDDs to represent the sets

46
Fixed point interationin the other direction
P
47
Fixed point interationin the other direction
p ? EX p
P
48
Fixed point interationin the other direction
p ? EX (p ? EX p)
P
49
Fixed point interationin the other direction
p ? EX (p ? EX p)
.
p
50
EU

• E (p U q) ? q ? (p ? EX (E (p U q) )
• H(E (p U q) )
• ?y. H(q) ? (H(p) ? Image-1(y,R))
• This is a generalisation of the EF case.
• Remember that E (True U q) EF q
• Exercise define H (A(p U q)). See earlier
  slide

51

• All done with BDDS (and recursion and fixed
  point iteration)

52
Concrete example
000 100 110
111 001
101
010
011
53
Concrete example
7
4
6
0
000 100 110
111 001
101
010
011

1
5
2
3
Exercise calculate the set of states satisfying
EF p p dreq ? q0 ?
dack (answer will be available later)
54
Concrete example
7
4
6
0
000 100 110
111 001
101
010
011
1
5
2
3
Also calculate for
EG p p (dreq ? q0 )
? dack