© Imperial College LondonPage 1

Model checking and refinement checking for modal transition systems and their cousinsMTS meeting 2007

Adam Antonik & Michael Huthimperial.ac.uk/quads

© Imperial College LondonPage 2

PART 1

REPORT ON PUBLISHED WORK ON MODEL CHECKING PARTIAL KRIPKE STRUCTURES

© Imperial College LondonPage 3

Partial Kripke structures

• Often need aggressive abstraction of model prior to model checking

• Partial state spaces facilitate this, as Kripke structures with 3-valued labeling [Bruns & Godefroid 1999]

© Imperial College LondonPage 4

Abstraction-based model checking

• Partial Kripke structures have abstraction & refinement notion

• System = Kripke structure• Abstraction = Partial Kripke structure, refined by System• Verification Problem: “Do all Kripke structure

refinements of Abstraction satisfy formula of mu-calculus?”

- If so, System will satisfy it, too. - If not, we may be no wiser.

© Imperial College LondonPage 5

Complexity, Soundness & Incompleteness

• Verification Problem: “Do all Kripke structure refinements of Abstraction satisfy formula of mu-calculus?”

• This is EXPTIME-complete in formula, quadratic in model [Bruns & Godefroid 2000]

• Approximate version of Verification Problem linear in formula/model [Bruns & Godefroid 1999]

• If approximate version verifies abstraction, system also verified (soundness)

• If approximate version doesn’t verify abstraction, system may still satisfy considered formula: under-approximation (incompleteness)

© Imperial College LondonPage 6

Refinement = Abstraction-1

© Imperial College LondonPage 7

Example

Pointed Kripke structure (N,t1)

refines pointed model (M,s1)

© Imperial College LondonPage 8

Formal Verification Problem

(M,s) pointed model: M with initial state s

holds iff all pointed Kripke structures that refine (M,s) satisfy

holds iff some pointed Kripke structure refines (M,s) and satisfies

© Imperial College LondonPage 9

Example

Judgment holds

© Imperial College LondonPage 10

Counterexample

Doesn’t hold: (N,t1) is counterexample

© Imperial College LondonPage 11

Approximate versions of judgments

• Use semantics similar to labeling algorithm

• Compositionally evaluate sub-formulas

• Do this in pessimistic and in optimistic mode for

• Pessimistic mode: under-approximates

• Optimistic mode: over-approximates

© Imperial College LondonPage 12

Optimistic (o) and pessimistic (p) approximative semantics for mu-calculus

Partial Kripke structure M = (S,R,L)

© Imperial College LondonPage 13

Formal soundness of approximation

For sentence and for set

Soudness as two, co-dependent, implications:

© Imperial College LondonPage 14

Incompleteness of approximation

• If L(s,q) = 1/2, then the tautology holds at state s, but the pessimistic semantics

won’t verify this.• But pessimistic semantics is complete for many practically

relevant property patterns [Antonik & Huth 2006], e.g.

“precedence chain: 2 stimuli, 1 response; globally, q and s precede r”

patterns.project.cis.ksu.edu

© Imperial College LondonPage 15

Making imprecise patterns precise

All patterns at patterns.project.cis.ksu.edu are • either complete (already saw an example)• or become complete after trivial adjustments:

is incomplete for verification, but its semantically equivalent version

is complete for verification

© Imperial College LondonPage 16

Semantic self-minimization

• Sentence pessimistically self-minimizing:

Iff for all pointed models (M,s)

• Sentence optimistically self-minimizing:

Iff for all pointed models (M,s)

© Imperial College LondonPage 17

Decision Problems

• OSM = set of optimistically self-minimizing sentences

• PSM = set of pessimistically self-minimizing sentences

• VAL = set of valid sentences• UNSAT = set of unsatisfiable sentences

Study this for mu-calculus, modal logic, and propositional logic.

© Imperial College LondonPage 18

Partition in a picture

Negation mapspairs of sets intoeach other:• OSM and PSM• I and II• III and IV• V and itself• VI and itself

Also, VAL in OSM and disjoint from PSM.Dually, UNSAT in PSM and disjoint from OSM.

© Imperial College LondonPage 19

Set OSM, hardness result

• Sentence in OSM iff its negation is in PSM• So OSM and PSM have same complexity• Deciding OSM at least as hard as deciding

validity of logic:

where x atomic proposition not occuring in • This is desired reduction to VAL:

© Imperial College LondonPage 20

Set OSM, upper bound for mu-calculus

• For mu-calculus, OSM in 2EXPTIME• From construct two alternating tree automata -

exponential blowup in worst case - and then do language inclusion check for these automata - exponential in size of these automata [Godefroid & Huth 2005]:

• This language inclusion checks “completeness half” of

for all pointed models (M,s)

© Imperial College LondonPage 21

Set OSM, upper bound for modal logic

• For modal logic, OSM in EXPSPACE• From construct two two alternating tree

automata as before, and again check

• Both automata cannot distinguish trees at depths greater than size of (so called “shallow model property” of modal logic)

• So the above check is in PSPACE in the size of the automata

© Imperial College LondonPage 22

Set OSM, exact bound for propositional logic

• Already showed OSM is coNP-hard

• Show PL - OSM in NP:

© Imperial College LondonPage 23

Summary of results for mu-calculus

© Imperial College LondonPage 24

Summary of results for modal logic

© Imperial College LondonPage 25

Summary of results for propositional logic

© Imperial College LondonPage 26

PART 2

REPORT ON WORK ON REFINEMENT CHECKING OF MODAL TRANSITION SYSTEMS

© Imperial College LondonPage 27

Common implementations

• For k > 1 pointed modal transition systems (Mi,si) there is least-fixed point algorithm on their product state space for deciding whether these k models have a common refinement

• This algorithm is polynomial for fixed k• This problem becomes NP-hard for k=2 already if we

can name states uniquely with propositions (i.e. “nominals” in “hybrid logic”)

• This seems to be EXPTIME-complete in k [UNPUBLISHED]

• There does not exist a unique “most abstract” common refinement in general.

© Imperial College LondonPage 28

Proof sketch for EXPTIME-hardness [unpublished]

• Relies on EXPTIME = APSPACE• Takes alternating-time Turing machine A that

computes some EXPTIME-complete problem• There is a polynomial P such that each input s of

A has circular tape of length P(|s|)• For each input s of A, construct k > 1 modal

transition systems where k and size of models are polynomial in |s|

• Show: these k models have common refinement iff A has an accepting run for input s

© Imperial College LondonPage 29

Extensional refinement checking

Let (M1,s1) and (M2,s2) be pointed modal transition systems. We write I(Mi,si) for the class of pointed labeled transition systems that refine (Mi,si).

• Deciding whether I(M1,s1) is contained in I(M2,s2) appears to be PSPACE-hard in the sum of the sizes of M1 and M2. [UNPUBLISHED]

© Imperial College LondonPage 30

Proof sketch for PSPACE-hardness[unpublished]• QCNF, closed quantified Boolean formulas whose

propositional bodies are in conjunctive normal form, e.g. xyz[ (x&!y) || !z || (!x&z)]

• Computing truth values of QCNF is PSPACE-complete problem

• Given in QCNF, construct two modal transition systems N[] and M[] such that is false iff

I(N[],t) I(M[],s)• This reduction works also for strict inclusion

I(M1,s1) I(M2,s2), seems to work for disjunctive modal transition systems, but

may not work for I(M1,s1) = I(M2,s2)

© Imperial College LondonPage 31

Thank you.

© Imperial College LondonPage 32

© Imperial College LondonPage 33

“Experimental” data

• Used Perl script to randomly generate “all” formulas of propositional logic for sizes 1 to 5• Size = number of occurrences of logical connectives

in formula• Brute-force decision of membership: in OSM (~75%),

in set VI (~50%), and in NP-complete set V (~2.45%)• Less formulas seem to be in set VI as number of

logical operators in formula increases