Review of the automata-theoretic approach to model-checking.

Review of the automata-theoretic approach to model-checking

Overview*

• Kripke structures

• Temporal logics: LTL, CTL, CTL*

• From LTL to Buchi automata

• Model checking

*Thanks for borrowed slides: Orna Grumberg, Ken McMillan

Program verification Given a program and a specification,

does the program satisfy the specification?

Not decidable!

We restrict the problem to a decidable one:• Finite-state abstractions• Propositional temporal logics

Model Checking

MC

G(p -> F q)yes

nop

q

p

q

temporal formula

finite-state model

algorithm

counterexample

Model must now represent all behaviors

Finite state systems

• Hardware designs• Communication protocols• High level description of non finite state systems• Web service abstractions

Properties in temporal logic

• mutual exclusion: always ( cs1 cs2)

• non starvation: always (request eventually grant)

• communication protocols: ( get-message) until send-message

Kripke structures

• A Kripke structure (S,AP,R,L) consists of– set of states S, atomic propositions AP– set of transitions R SS– labeling L SAP

• Example: Kripke model of a program

p prepeat p := true; p := false;end

Kripke structure / transition system

a,b a

ab,c

c

a,c a,bb

=s0s1s2... is a run in M from s iff

s = s0 and for every i0: (si,si+1)R

How to specify properties of runs:

temporal logics!

Linear temporal logic: LTL

AP – a set of atomic propositions

LTL: propositional logic + temporal operators

Gp

Fp

Xp

pUq

Examples of LTL properties

• x=a y=b XXXX z=a+b• pay B deliver B: “before”• liveness: “if input, then eventually output”

G (input F output)• strong fairness: “infinitely sent implies infinitely

received”

GF send GF receive

Branching time logics: CTL, CTL*

• Model of time is a tree, not a sequence• Path quantifiers A: “for every path” E: “there exists a path”

AF p

p

p

p

Computation Tree Logic: CTL

• Every operator F, G, X, U preceded by A or E• Universal modalities:

p p

p

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

AG p

p p p p

p

p p

AF p

CTL, cont...

• Existential modalities:

p

p

. . .

. . .

. . .

. . . . . .

. . .

. . .

. . .

EG p

p p

EF p

CTL, cont

• Other modalitiesAX p, EX p, A(p U q), E(p U q)

• Examples: mutual exclusion specs...

AG (C1 C2) mutual exclusion

AG (request AF grant) non-starvation

AG (N1 EX T1) non-blocking

CTL*• Contains both CTL and LTL

– path formulas p U q, G p, Fp, Xp, p, p q– state formulas A p, E p

• Note: p in LTL A p in CTL*

• CTL* is more powerful than CTL Example: Fairness assumptions

A (GF p GF q)

Model checking complexities

CTL

LTLO(2f (V+E))

CTLO(f (V+E))

*

=

Note: all are linear in model size

PSPACE COMPLETE

LTL vs. Buchi automata

• Buchi automaton: finite-state automaton

accepting infinite words by going forever through some accepting state

a1 a2 a3 ………………………………

s0 s1 s2 s3 ……….f ….. f ….. f ….. f…..

• Languages accepted by Buchi automata:

ω-regular

Let φ be an LTL formula with propositions AP.There exists a Buchi automaton B(φ) over alphabet 2AP accepting exactly the infinite words satisfying φ.

Naïve construction: simple recursion on the structure of φ

Examples:• if φ = X p then B(φ) is

• if φ = p U q then B(φ) is

• but: each negation leads to exponential blowup!

pq

accept

paccept

Smarter way: one-step construction

• exponential number of states

• given a state of B(φ) and an input, a next state of B(φ) can be computed in PSPACE with respect to φ

Example: p U q

• States: consistent sets of subformulas (or their negations)

() subformulas p U q, (p U q), p, p, q, q

p, q p U q

p, q, p U q

p, q, (p U q)

p, q, p U q

p q, (p U q)

States (consistent sets):

Intuition: a state contains the formulas satisfied by all accepted infinite runs starting in that state

p, q, p U q

p, q, p U q

p, q, (p U q)

p, q, p U q

p, q, (p U q)

all all

all

• Initial states: all containing p U q • Transitions: on assignment in source state

Model checking Input: Kripke structure K LTL formula φ

1. Construct B( φ)

2. Search for runs of K accepted by B( φ)

3. If none found, output “yes”

otherwise, output counter-example run

Can be done in NPSPACE, so in PSPACE:

• Non-deterministically generate runs of K B(φ)

• Accept when looping in <S, f >

where S is a state in K and f is an accepting state of B(φ)

Run of K

States of B(φ)

s0 s1 s2 … f …. f

…

Deterministic algorithm: depth-first search + some efficient bookkeeping

O(2|φ| |K|)

S S

Some other complexities

• Model checking for CTL: O( |φ| |K|)

• Satisfiability for CTL: EXPTIME-complete

• Model checking for CTL*: PSPACE-complete • Satisfiability for CTL*: 2-EXPTIME-complete