Scribd Logo
Upload

Welcome to Scribd!

  • Review of The Automata-Theoretic Approach To Model-Checking

    Uploaded by

    Ilyass
    4 views25 pages
    This document summarizes the automata-theoretic approach to model checking. It discusses Kripke structures, temporal logics like LTL and CTL, translating LTL to Buchi automata, and the model checking algorithm. The algorithm takes a Kripke structure and LTL formula as input, constructs a Buchi automaton for the negated formula, and searches for accepting runs to check satisfiability in polynomial space. This provides an effective way to check finite-state systems against temporal logic specifications.

    Original Description:

    Original Title

    Model Checking

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document summarizes the automata-theoretic approach to model checking. It discusses Kripke structures, temporal logics like LTL and CTL, translating LTL to Buchi automata, and the model checking algorithm. The algorithm takes a Kripke structure and LTL formula as input, constructs a Buchi automaton for the negated formula, and searches for accepting runs to check satisfiability in polynomial space. This provides an effective way to check finite-state systems against temporal logic specifications.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views25 pages

    Review of The Automata-Theoretic Approach To Model-Checking

    Uploaded by

    Ilyass
    This document summarizes the automata-theoretic approach to model checking. It discusses Kripke structures, temporal logics like LTL and CTL, translating LTL to Buchi automata, and the model checking algorithm. The algorithm takes a Kripke structure and LTL formula as input, constructs a Buchi automaton for the negated formula, and searches for accepting runs to check satisfiability in polynomial space. This provides an effective way to check finite-state systems against temporal logic specifications.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 25

    Review of the automata-theoretic

    approach to model-checking
    Overview*

    • Kripke structures
    • Temporal logics: LTL, CTL, CTL*
    • From LTL to Buchi automata
    • Model checking

    *Thanks for borrowed slides: Orna Grumberg, Ken McMillan


    Program verification
    Given a program and a specification,
    does the program satisfy the specification?
    Not decidable!

    We restrict the problem to a decidable one:


    • Finite-state abstractions
    • Propositional temporal logics
    Model Checking

    G(p -> F q)
    yes
    temporal formula

    MC algorithm

    no
    p
    p
    q
    q
    counterexample
    finite-state model

    Model must now represent all behaviors


    Finite state systems

    • Hardware designs
    • Communication protocols
    • High level description of non finite state systems
    • Web service abstractions
    Properties in temporal logic

    • mutual exclusion:
    always ( cs1  cs2)

    • non starvation:
    always (request  eventually grant)

    • communication protocols:
    ( get-message) until send-message
    Kripke structures
    • A Kripke structure (S,AP,R,L) consists of
    – set of states S, atomic propositions AP
    – set of transitions R SS
    – labeling L SAP

    • Example: Kripke model of a program

    repeat
    p := true; p p
    p := false;
    end
    Kripke structure / transition system

    a,b a

    b,c a

    b a,c a,b

    c
    =s0s1s2... is a run in M from s iff
    s = s0 and for every i0: (si,si+1)R

    How to specify properties of runs:


    temporal logics!
    Linear temporal logic: LTL
    AP – a set of atomic propositions
    LTL: propositional logic + temporal operators

    Gp
    Fp
    Xp
    pUq
    Examples of LTL properties
    • x=a  y=b  XXXX z=a+b
    • pay B deliver B: “before”
    • liveness: “if input, then eventually output”
    G (input  F output)
    • strong fairness: “infinitely sent implies infinitely
    received”
    GF send  GF receive
    Branching time logics: CTL, CTL*
    • Model of time is a tree, not a sequence
    • Path quantifiers A: “for every path”
    E: “there exists a path”

    AF p
    p
    Computation Tree Logic: CTL

    • Every operator F, G, X, U preceded by A or E


    • Universal modalities:
    AG p AF p

    p p p

    p p p p p p
    ...

    ...

    ...

    ...
    ...

    ...

    ...

    ...
    CTL, cont...
    • Existential modalities:

    EG p EF p

    p
    ...

    p
    ...

    ...

    ...

    ...

    ...

    ...

    ...
    CTL, cont

    • Other modalities
    AX p, EX p, A(p U q), E(p U q)

    • Examples: mutual exclusion specs...

    AG  (C1  C2) mutual exclusion


    AG (request  AF grant) non-starvation
    AG (N1  EX T1) non-blocking
    CTL*
    • Contains both CTL and LTL
    – path formulas p U q, G p, Fp, Xp, p, p  q
    – state formulas A p, E p

    • Note: p in LTL  A p in CTL*

    • CTL* is more powerful than CTL


    Example: Fairness assumptions
    A (GF p  GF q)
    Model checking complexities
    CTL *

    LTL CTL
    O(2f (V+E)) O(f (V+E))

    PSPACE COMPLETE

    Note: all are linear in model size


    LTL vs. Buchi automata

    • Buchi automaton: finite-state automaton


    accepting infinite words by going forever through
    some accepting state
    a1 a2 a3 ………………………………

    s0 s1 s2 s3 ……….f ….. f ….. f ….. f…..

    • Languages accepted by Buchi automata:


    ω-regular
    Let φ be an LTL formula with propositions AP.
    There exists a Buchi automaton B(φ) over
    alphabet 2AP accepting exactly the infinite
    words satisfying φ.

    Naïve construction: simple recursion on the structure of φ

    Examples: p accept
    • if φ = X p then B(φ) is
    p
    q
    • if φ = p U q then B(φ) is accept

    • but: each negation leads to exponential blowup!


    Smarter way: one-step construction

    • exponential number of states

    • given a state of B(φ) and an input, a next state of B(φ)


    can be computed in PSPACE with respect to φ
    Example: p U q
    • States: consistent sets of subformulas (or their negations)
    () subformulas p U q,  (p U q), p,  p, q,  q

    p, q p U q
    p,  q, p U q
    States (consistent sets): p,  q, (p U q)
     p, q, p U q
     p  q, (p U q)

    Intuition: a state contains the formulas satisfied by


    all accepted infinite runs starting in that state
    p,  q, p,  q, p, q,
    pUq (p U q) pUq

    all

    p, q, p,  q,
    pUq (p U q)

    all all

    • Initial states: all containing p U q


    • Transitions: on assignment in source state
    Model checking
    Input: Kripke structure K LTL formula φ

    1. Construct B( φ)

    2. Search for runs of K accepted by B( φ)

    3. If none found, output “yes”


    otherwise, output counter-example run
    Can be done in NPSPACE, so in PSPACE:

    • Non-deterministically generate runs of K  B(φ)

    • Accept when looping in <S, f >


    where S is a state in K and f is an accepting state of B(φ)
    S S

    Run of K
    s0 s1 s2 … f …. f
    States of B(φ)

    Deterministic algorithm: depth-first search + some efficient


    bookkeeping
    O(2|φ| |K|)
    Some other complexities

    • Model checking for CTL: O( |φ| |K|)


    • Satisfiability for CTL: EXPTIME-complete

    • Model checking for CTL*: PSPACE-complete


    • Satisfiability for CTL*: 2-EXPTIME-complete

    You might also like