Model Checking
Lecture 3
Specification Automata
Syntax, given a set A of atomic observations:
S finite set of states
S0 S set of initial states
S S transition relation
: S PL(A) where the formulas of PL are
::= a | |
for a A
Specification Omega Automata
Syntax as for finite automata, in addition the following acceptance condition:
Buchi: BA S
Language L(M) of specification omega-automaton
M = (S, S0, , , BA ) :
infinite trace t0, t1, ... L(M)
iff
there exists an infinite run s0 s1 ... of M
such that
1. s0 s1 ... satisfies BA
2. for all i 0, ti |= (si)
Let Inf(s) = { p | p = si for infinitely many i }.
The infinite run s satisfies the acceptance condition BA
iff
Inf(s) BA
(K,q) |=L M iff L(K,q) L(M)
Linear semantics of specification omega automata:
omega-language containment
infinite traces
Response specification automaton :
(a b) assuming (a b) = false
a b
ba
s1
s2
s3
s0
Buchi condition { s0, s3 }
Response monitor automaton :
(a b) assuming (a b) = false
a b
s1 s2
Buchi condition { s2 }
s0
true
Outline
1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness
2 Graph algorithms for model checking
3 Symbolic algorithms for model checking
4 Pushdown systems
Model-Checking Algorithms = Graph Algorithms
1 Safety:
-solve: finite monitors ( emptiness)
-algorithm: reachability (linear)
2 Liveness:
-solve: Buchi monitors ( emptiness)
-algorithm: strongly connected components (linear)
We will talk about STL and CTL model checking later.
From specification automata to monitor automata:
determinization (exponential) + complementation (easy)
From LTL to monitor automata:
complementation (easy) + tableau construction (exponential)
Algorithms
1 Reachability
2 Strongly connected components
3 Tableau construction
Finite Emptiness
Given: finite automaton (S, S0, , , FA)
Find: is there a path from a state in S0 to a state in FA ?
Fix a set A of atomic observations
State-transition graph K
Q set of states
Q Q transition relation
[ ]: Q 2A observation function
Monitor automaton M
S finite set of states
S0 S set of initial states
S S transition relation
E S set of final states
: S PL(A) where the formulas of PL are
::= a | | for a A
(K,q) |=C M iff L(K,q) L(M) =
We construct another monitor automaton M’ such thatL(M’) = L(K,q) L(M)
S’ = {(q,s) Q S | [q] |= (s)} finite set of states
({q} S0) S’ set of initial states
(q,s) (q’,s’) transition relation
iff q q’ and s s’
(Q E) S’ set of final states
’: S’ PL(A) labeling function
’(q,s) = conjunction of atomic observations in [q] and negated atomic observations not in [q]
languages over finite traces
Finite Emptiness
Given: monitor automaton (S, S0, , , E)
Find: is there a path from a state in S0 to a state in E ?
Solution: depth-first or breadth-first search
dfs(s) { if (s E) then report error add s to dfsTable for each successor t of s if (t dfsTable) then dfs(t)}
Buchi Emptiness
Given: Buchi automaton (S, S0, , , BA)
Find: is there an infinite path from a state in S0 that visits some state in BA infinitely often ?
Monitor Buchi automaton M
S finite set of states
S0 S set of initial states
S S transition relation
BA S acceptance condition
: S PL(A) where the formulas of PL are
::= a | | for a A
(K,q) |=C M iff L(K,q) L(M) =
We construct another monitor Buchi automaton M’ such that L(M’) = L(K,q) L(M)
S’ = {(q,s) Q S | [q] |= (s)} finite set of states
({q} S0) S’ set of initial states
(q,s) (q’,s’) transition relation
iff q q’ and s s’
(Q BA) S’ acceptance condition
’: S’ PL(A) labeling function
’(q,s) = conjunction of atomic observations in [q] and negated atomic observations not in [q]
languages over infinite traces
Buchi Emptiness
Given: Buchi automaton (S, S0, , , BA)
Find: is there an infinite path from a state in S0 that visits some state in BA infinitely often ?
Solution: 1. Compute SCC graph by depth-first search
2. Mark SCC C as fair iff C BA
3. Check if some fair SCC is reachable from S0
Complexity
n number of states m number of transitions
Reachability: O(n+m)
SCC: O(n+m)
Buchi emptiness
• Two algorithms for SCC computation– forward and backward DFS– forward HI-LO algorithm
• Storing SCCs requires lot of memory• Nested DFS
– checks Buchi emptiness without explicitly computing SCCs
dfs(s) { add s to dfsTable for each successor t of s if (t dfsTable) then dfs(t) if (s BA) then { seed := s; ndfs(s) }}
ndfs(s) { add s to ndfsTable for each successor t of s if (t ndfsTable) then ndfs(t) else if (t = seed) then report error}
Multi-Buchi Emptiness
Given: Multi-Buchi automaton (S, S0, , , BA1, …, BAn)
Find: is there an infinite path from a state in S0 that infinitely often visits some state in BAi for all i
such that 1 i n ? Solution: 1. Compute SCC graph by depth-first search
2. Mark SCC C as fair iff C BAi for all i such that 1 i n.
3. Check if some fair SCC is reachable from S0
Tableau Construction
Given: LTL formula
Find: Multi-Buchi automaton M such that L(M) = L()
[Fischer & Ladner 1975; Manna & Wolper 1982]
monitors subformulas of
, ::= a | a | | | | U | W
( ) = ( ) = () = ()( U ) = ( W )( W ) = ( U )
Negation normal form
Fischer-Ladner Closure of a Formula
Sub (a) = { a, a }
Sub (a) = { a, a }
Sub () = { } Sub () Sub ()
Sub () = { } Sub () Sub ()
Sub () = { } Sub ()
Sub (U) = { U, (U) } Sub () Sub ()
Sub (W) = { W, (W) } Sub () Sub () | Sub () | = O(||)
s Sub () is consistent
iff-for all atomic propositions a
(a) s iff a s
-if () Sub () then () s iff s and s
-if () Sub () then () s iff either s or s
-if (U) Sub () then (U) s iff either s
or s and (U) s
-if (W) Sub () then (W) s iff either s
or s and (W) s
Fischer-Ladner Closure of a Formula
…
…
Sub () = {, } Sub ()
Sub () = {, } Sub ()
s Sub () is consistent
iff
…
-if () Sub () then () s iff either s or s
-if () Sub () then () s iff s and s
Tableau M = (S, S0, , , BA1,…,BAn) S ... set of consistent subsets of Sub ()
s S0 iff s
s t iff for all () Sub (), if () s then t
(s) ... conjunction of atomic observations in s and negated atomic observations not in s
There is an acceptance condition
- for each (U) Sub () given by { s | s or (U) s }
- for each () Sub () given by { s | s or () s }
Size of M is O(2||).
LTL model checking: PSPACE-complete