© imperial college londonpage 1 model checking and refinement checking for modal transition systems...
Post on 14-Dec-2015
216 Views
Preview:
TRANSCRIPT
© Imperial College LondonPage 1
Model checking and refinement checking for modal transition systems and their cousinsMTS meeting 2007
Adam Antonik & Michael Huthimperial.ac.uk/quads
© Imperial College LondonPage 2
PART 1
REPORT ON PUBLISHED WORK ON MODEL CHECKING PARTIAL KRIPKE STRUCTURES
© Imperial College LondonPage 3
Partial Kripke structures
• Often need aggressive abstraction of model prior to model checking
• Partial state spaces facilitate this, as Kripke structures with 3-valued labeling [Bruns & Godefroid 1999]
© Imperial College LondonPage 4
Abstraction-based model checking
• Partial Kripke structures have abstraction & refinement notion
• System = Kripke structure• Abstraction = Partial Kripke structure, refined by System• Verification Problem: “Do all Kripke structure
refinements of Abstraction satisfy formula of mu-calculus?”
- If so, System will satisfy it, too. - If not, we may be no wiser.
© Imperial College LondonPage 5
Complexity, Soundness & Incompleteness
• Verification Problem: “Do all Kripke structure refinements of Abstraction satisfy formula of mu-calculus?”
• This is EXPTIME-complete in formula, quadratic in model [Bruns & Godefroid 2000]
• Approximate version of Verification Problem linear in formula/model [Bruns & Godefroid 1999]
• If approximate version verifies abstraction, system also verified (soundness)
• If approximate version doesn’t verify abstraction, system may still satisfy considered formula: under-approximation (incompleteness)
© Imperial College LondonPage 6
Refinement = Abstraction-1
© Imperial College LondonPage 7
Example
Pointed Kripke structure (N,t1)
refines pointed model (M,s1)
© Imperial College LondonPage 8
Formal Verification Problem
(M,s) pointed model: M with initial state s
holds iff all pointed Kripke structures that refine (M,s) satisfy
holds iff some pointed Kripke structure refines (M,s) and satisfies
© Imperial College LondonPage 9
Example
Judgment holds
© Imperial College LondonPage 10
Counterexample
Doesn’t hold: (N,t1) is counterexample
© Imperial College LondonPage 11
Approximate versions of judgments
• Use semantics similar to labeling algorithm
• Compositionally evaluate sub-formulas
• Do this in pessimistic and in optimistic mode for
• Pessimistic mode: under-approximates
• Optimistic mode: over-approximates
© Imperial College LondonPage 12
Optimistic (o) and pessimistic (p) approximative semantics for mu-calculus
Partial Kripke structure M = (S,R,L)
© Imperial College LondonPage 13
Formal soundness of approximation
For sentence and for set
Soudness as two, co-dependent, implications:
© Imperial College LondonPage 14
Incompleteness of approximation
• If L(s,q) = 1/2, then the tautology holds at state s, but the pessimistic semantics
won’t verify this.• But pessimistic semantics is complete for many practically
relevant property patterns [Antonik & Huth 2006], e.g.
“precedence chain: 2 stimuli, 1 response; globally, q and s precede r”
patterns.project.cis.ksu.edu
© Imperial College LondonPage 15
Making imprecise patterns precise
All patterns at patterns.project.cis.ksu.edu are • either complete (already saw an example)• or become complete after trivial adjustments:
is incomplete for verification, but its semantically equivalent version
is complete for verification
© Imperial College LondonPage 16
Semantic self-minimization
• Sentence pessimistically self-minimizing:
Iff for all pointed models (M,s)
• Sentence optimistically self-minimizing:
Iff for all pointed models (M,s)
© Imperial College LondonPage 17
Decision Problems
• OSM = set of optimistically self-minimizing sentences
• PSM = set of pessimistically self-minimizing sentences
• VAL = set of valid sentences• UNSAT = set of unsatisfiable sentences
Study this for mu-calculus, modal logic, and propositional logic.
© Imperial College LondonPage 18
Partition in a picture
Negation mapspairs of sets intoeach other:• OSM and PSM• I and II• III and IV• V and itself• VI and itself
Also, VAL in OSM and disjoint from PSM.Dually, UNSAT in PSM and disjoint from OSM.
© Imperial College LondonPage 19
Set OSM, hardness result
• Sentence in OSM iff its negation is in PSM• So OSM and PSM have same complexity• Deciding OSM at least as hard as deciding
validity of logic:
where x atomic proposition not occuring in • This is desired reduction to VAL:
© Imperial College LondonPage 20
Set OSM, upper bound for mu-calculus
• For mu-calculus, OSM in 2EXPTIME• From construct two alternating tree automata -
exponential blowup in worst case - and then do language inclusion check for these automata - exponential in size of these automata [Godefroid & Huth 2005]:
• This language inclusion checks “completeness half” of
for all pointed models (M,s)
© Imperial College LondonPage 21
Set OSM, upper bound for modal logic
• For modal logic, OSM in EXPSPACE• From construct two two alternating tree
automata as before, and again check
• Both automata cannot distinguish trees at depths greater than size of (so called “shallow model property” of modal logic)
• So the above check is in PSPACE in the size of the automata
© Imperial College LondonPage 22
Set OSM, exact bound for propositional logic
• Already showed OSM is coNP-hard
• Show PL - OSM in NP:
© Imperial College LondonPage 23
Summary of results for mu-calculus
© Imperial College LondonPage 24
Summary of results for modal logic
© Imperial College LondonPage 25
Summary of results for propositional logic
© Imperial College LondonPage 26
PART 2
REPORT ON WORK ON REFINEMENT CHECKING OF MODAL TRANSITION SYSTEMS
© Imperial College LondonPage 27
Common implementations
• For k > 1 pointed modal transition systems (Mi,si) there is least-fixed point algorithm on their product state space for deciding whether these k models have a common refinement
• This algorithm is polynomial for fixed k• This problem becomes NP-hard for k=2 already if we
can name states uniquely with propositions (i.e. “nominals” in “hybrid logic”)
• This seems to be EXPTIME-complete in k [UNPUBLISHED]
• There does not exist a unique “most abstract” common refinement in general.
© Imperial College LondonPage 28
Proof sketch for EXPTIME-hardness [unpublished]
• Relies on EXPTIME = APSPACE• Takes alternating-time Turing machine A that
computes some EXPTIME-complete problem• There is a polynomial P such that each input s of
A has circular tape of length P(|s|)• For each input s of A, construct k > 1 modal
transition systems where k and size of models are polynomial in |s|
• Show: these k models have common refinement iff A has an accepting run for input s
© Imperial College LondonPage 29
Extensional refinement checking
Let (M1,s1) and (M2,s2) be pointed modal transition systems. We write I(Mi,si) for the class of pointed labeled transition systems that refine (Mi,si).
• Deciding whether I(M1,s1) is contained in I(M2,s2) appears to be PSPACE-hard in the sum of the sizes of M1 and M2. [UNPUBLISHED]
© Imperial College LondonPage 30
Proof sketch for PSPACE-hardness[unpublished]• QCNF, closed quantified Boolean formulas whose
propositional bodies are in conjunctive normal form, e.g. xyz[ (x&!y) || !z || (!x&z)]
• Computing truth values of QCNF is PSPACE-complete problem
• Given in QCNF, construct two modal transition systems N[] and M[] such that is false iff
I(N[],t) I(M[],s)• This reduction works also for strict inclusion
I(M1,s1) I(M2,s2), seems to work for disjunctive modal transition systems, but
may not work for I(M1,s1) = I(M2,s2)
© Imperial College LondonPage 31
Thank you.
© Imperial College LondonPage 32
© Imperial College LondonPage 33
“Experimental” data
• Used Perl script to randomly generate “all” formulas of propositional logic for sizes 1 to 5• Size = number of occurrences of logical connectives
in formula• Brute-force decision of membership: in OSM (~75%),
in set VI (~50%), and in NP-complete set V (~2.45%)• Less formulas seem to be in set VI as number of
logical operators in formula increases
top related