An Introduction to Multi-Valued Model Checking

Transcription

1 An Introduction to Multi-Valued Model Checking Georgios E. Fainekos Department of CIS University of Pennsylvania Written Preliminary Examination II 30 th of June, 2005

2 Model Checking: Is the system correct?? Extract model a b s 0 Formalize Specification a b s 2 a b s 1 A[Ga (Xb a)] Model Model Checker YES Witness NO Counter Example

3 Multi-Valued Model Checking: In what degree is the system correct?? M a=t b=f Extract model s 2 a=m b=t T T T s 0 M a=t b=m s 1 Formalize Specification A[Ga (Xb a)] MV-Model Checker The degree of satisfaction

4 Why multi-valued model checking? Application 1: conflicting viewpoints kegak a=t b=f s 0 a=f b=f TT { s 0 a=t b=f s 2 a=f s 1 b=t a=t b=t s 0 a=tt b=ff TF s 1 FT a=ff b=tf a=ft b=ft TT TT s 2 { TF FT FF {s 1 kex bk {s 0 TT {s 0,s 2 s b=f a=f 2 s 1 TF TT FT { TF FF FT { {s 1,s 2 FF Example modified from Chechik et al

5 Why multi-valued model checking? Application 2: Abstraction Using 3-valued logic introduce new special value Maybe to stand for unknown Advantages: No spurious counter-examples result = T, F or M (unknown) Verification even using incomplete models T M F s 0 s 1 p q r p q r p q r s 2 s 0,1 s 2 p=m q=f r=t T T M p=t q=t r=f Example taken from Marsha Chechik

6 Why multi-valued model checking? Application 3: Query Checking [Chan, CAV 00] Goal: speed-up design understanding discover properties not known a priori Temporal logic query temporal logic formula with placeholders (unknowns) e.g., AG? x, AG (p? x ) evaluates to strongest propositional formula that makes query true. Some applications {p, true provide partial explanation when property holds e.g. instead of AG (a b), ask AG? x {a, b answer a b is stronger! {false, p, p, true {p, p, true {true { { p, true provide diagnostic information when property fails e.g. if AG (req AF ack) fails - ask AG (req AF? x ) Slide courtesy of Marsha Chechik

7 Ordering objects A partial-order is a binary relation such that for all x,y,z S the following properties hold: Reflexivity Transitivity Antisymmetry A poset is the pair: S=(S, ) x v x x v y and y v z imply x v z x v y and y v x imply x = z In a linear order all the elements are comparable. sup(x) X inf(x) top (T) bottom ( ) Let X,Y be posets, then a map f : X Y is called order-preserving if: ( x 1,x 2 X).(x 1 v X x 2 f(x 1 ) v Y f(x 2 )) f

8 Lattices Define join and meet as: x t y := sup({x, y) and x u y := inf({x, y) Lattice L is a poset (L, ) where for all x,y L, x y and x y exist Complete lattice is a lattice where for all X L, X and X exist c-complete lattice is a complete lattice with complement operator ~ such that ~T= and ~ =T A lattice is distributive iff it satisfies the distributive law ( x, y, z L).(x u (y t z) =(x u y) t (x u z)) Let X,Y be posets, then a map f : X Y is called continuous function if for all non-empty directed sets Z X: t f(z) =f(t Z) and u f(z) =f(t Z)

9 Some important lemmas The join and meet are order preserving functions, i.e. for all x,y,z,w L x v y and z v w imply x t z v y t w The connecting lemma, for x,y L y w x v y iff x t y = y iff x u y = x Every finite lattice is complete z x Every continuous function is order preserving If X,Y are finite posets and f:x Y is order preserving, then f is continuous

10 Join irreducible elements An element x of a lattice L is join irreducible if (i) x (ii) x=y z implies x=y or x=z for all y,z L Every element of lattice L can be written as a join of join irreducible elements, for all x L: x = F {y J(L) y v x If L is distributive lattice then, the following are equivalent: x is join-irreducible if y,z L and x y z then x y or x z

11 Quasi-Boolean and Boolean Algebras A quasi-boolean algebra B is a structure B=(B,,, ~,,T); where T and are the greatest and least elements, (B,, ) is a distributive lattice and ~ is an unary operation of period 2 s.t. for every x B there exists unique ~x B satisfying: De Morgan laws: ø (x u y) =ø x tøy ø (x t y) =ø x uøy Antimonotonic: x v y iff ø y vø x Involution: ~~x=x A Boolean algebra B is a quasi-boolean algebra where for each element x B the following hold: Law of non-contradiction x uøx = Law of excluded middle x tøx = >

12 Quasi-Boolean and Boolean Algebras (examples) Quasi-Boolean Algebras B 3 =({0,½,1, ) B 3,3 =B 3 B 3 Boolean Algebras B S =(2 S, ), S={a,b,c 1 true 11 1½ ½1 ½ maybe 10 ½½ 01 0 false ½0 0½ ~1=0, ~0=1, ~½=½ true 1½,½1 likely unknown ½½ 10,01 disputed 0½,½0 unlikely {a,b,c {a,b {a,c {a {b { B 2 =({0,1, ) 1 true {b,c {c B 2,2 =B 2 B B false 0 false 00

13 Tarski-Knaster Fixpoint Theorem Let L be a complete lattice and f : L L be an order-preserving function, then f has fixpoints, i.e. f(x) = x. The least and greatest fixpoints are characterized as follows: Let y, z in L such that y f(y), y µx.f(x), f(z) z, νx.f(x) z and, let f to be continuous, then the iteration:

14 Multi-valued sets and relations A multi-valued set is a total function from the objects of a set S to the elements of a lattice L, i.e. : S L Intuitively, expresses the degree that an object s belongs to a set S Actually, in the two-valued case, i.e. when L=B 2, it reduces to the characteristic function of the set S A multi-valued relation on sets S and T over a lattice L is a function : S T L.

15 mv-kripke Structures An mv Kripke structure is a tuple M = (S, S 0,, AP,, L,D) S is a (finite) set of states S 0 is a set of initial states (S 0 S) : S S L is an mv-transition relation AP is a (finite) set of atomic propositions : S AP L is a total labelling function that maps a pair of a state s and an atomic proposition a to an element of the lattice L L is a lattice or an algebra D is the set of designated values

16 mv-kripke Structures (Examples) s 0 a=tt b=ff TF s 1 FT a=ff b=tf a=ft b=ft TT TT s 2 T pressed = T request = F pressed = T request = F T T pressed = M request = T M TT TF FT T FF M F Examples courtesy of Marsha Chechik

17 Predecessor mv-sets The existential predecessor set: The universal predecessor set: Bruns & Godefroid and Chechik et. al. (def. 1) Konikowska & Penczek (def. 2) Compare with classical definition:

18 Example For any a AP, we denote by DaD : S L the mv-set that represents the degree that the proposition a is satisfied in some state s The mv-set DaD introduces a partition of the state space s 0 Example from Chechik et al a=tt b=ff TF s 1 FT a=ff b=tf a=ft b=ft TT TT s 2 DaD {s 0 DbD { DbD {s 0 TT { {s 2 {s 1 {s 2 {s 2 {s 1 TF FT {s 1 {s 0 { FF {(s 1,s 2 ), (s 2,s 2 ) {(s 0,s 1 ) {(s 0,s 2 ) {(s 0,s 0 ), (s 1,s 0 ), (s 1,s 1 ), (s 2,s 0 ), (s 2,s 1 )

19 Example from Chechik et al a=t b=f s 0 a=f b=f s 2 a=f s 1 b=t s 0 a=t b=f a=t b=t s b=f a=f 2 s 1 s 0 a=tt b=ff TF s 1 FT a=ff b=tf a=ft b=ft TT TT s 2 DaD {s 0 DbD { DbD {s 0 TT { {s 2 {s 1 {s 2 {s 2 {s 1 TF FT {s 1 {s 0 { FF {(s 1,s 2 ), (s 2,s 2 ) pre (DaD) = pre (DaD) pre (DbD) {(s 0,s 1 ) {(s 0,s 2 ) { {s 0 {(s 0,s 0 ), (s 1,s 0 ), (s 1,s 1 ), (s 2,s 0 ), (s 2,s 1 ) { { {s 0,s 1,s 2 { {s 1,s 2 {

20 The multi-valued model checking problem Given multi-valued system M = (S, S 0,, AP,, L,D) and a specification φ Multi-valued model checking problem ( s S 0 ).(kϕk M (s) D) Alternative: Given multi-valued system M = (S, S 0,, AP,, L,D), state s in S and specification φ determine DφD M (s)

21 The multi-valued model checking problem Two main approaches Reduction methods to classical model checking [Bruns and Godefroid] Reduction for multi-valued µ-calculus [Chechik et. Al.] Reductions for multi-valued LTL, µ-calculus [Konikowska and Penczek] Reduction methods for mv-ctl* using designated values mv-ctl* for FLO and specific lattices (L 2,2,L 4+2,etc) µ-calculus Direct methods [Bruns and Godefroid] Extended alternating automata [Chechik et. Al.] Multi-valued CTL symbolic model checking

22 Temporal Logics (1) CTL* syntax Derived operators

23 Temporal logics (2): Semantic Intuition of Linear time properties G a -always a a a a a a a F a eventually a * * * a * * X a next state a * a * * * * a U b a until b a B b a before b a * a a b * * * a * b *

24 Temporal Logics (3): Semantic intuition of branching temporal properties

25 Mv-CTL* model checking using designated values (1) Semantics of mv-ctl * in Negation Normal Form (NNF) State formulas Path formulas

26 Mv-CTL* model checking using designated values (2) Theorem 1 (Reduction from NNF mv-ctl* to CTL* using Designated Values) Assume that L is a c-complete lattice. Let the designated values D and non-designated values N be closed under arbitrary bounds. Define τ : M = (S, S 0,, AP +,, L,D) K = (S, S 0, R, AP +, O) such that: Then for any state formula φ s and any path formula φ p of NNF mv- CTL* over the lattice L and any state s in S and path π in Paths M (s) of M, we have:

27 Mv-CTL* model checking using designated values (3) Sketch of proof: Notice that the paths on M and K are the same For any subset L S of L the following properties hold: Proof proceeds by induction on the structure of φ, some cases: φ=a, a in AP +, then holds by definition φ=φ 1 φ 2, then DφD M (s)=dφ 1 D M (s) Dφ 2 D M (s) D iff (property 1) ( i). (Dφ i D M (s) D) iff (IH) (K,s) φ i implies (K,s) φ 1 φ 2 =φ φ=[φ 1 Uφ 2 ], then DφD M (π[i]) D iff (property 1) there exists j>i+1 s.t. ( (π(j-1), π(j)) Dφ 2 D M (π[j])) D iff (as (π(j-1), π(j)) D and D is closed under bounds) Dφ 2 D M (π[j]) D and (property 2) for all 0<k<j ( (π(k-1), π(k)) Dφ 1 D M (π[k])) D iff Dφ 1 D M (π[k]) D iff (IH) on the same path π, (K,π[j]) φ 2 and for all 0<k<j (K,π[k]) φ 1 which by definition is (K,π[0]) [φ 1 Uφ 2 ]=φ

28 Mv-CTL* model checking using designated values (4) Theorem 2 (Reduction from mv-ctl* to CTL* using Designated Values) Assume that L is a c-complete lattice. Let the designated values D and non-designated values N be closed under arbitrary bounds. x D implies ~x N and x N implies ~x D Define τ : M = (S, S 0,, AP,, L,D) K = (S, S 0, R, AP, O) such that: Then for any state formula φ s and any path formula φ p of NNF mv-ctl* over the lattice L and any state s in S and path π in Paths M (s) of M, we have: Proof: The only additional case is for the complementation

29 Mv-CTL* model checking using designated values (5) Examples: Theorem 1: The condition that D and N should be closed under arbitrary bounds is satisfied by logics over finite linear orders i.e. 3-valued Kleene logic, many-value Lukasiewicz logics etc Theorem 2: The conditions are satisfied by: Logics over finite linear orders Logic over the lattice L 2,2 D N T F ~ Rosser-Turquette Gödel Lukasiewicz T D T D T D D N F N F N F 00 N

30 Mv-CTL* model checking using designated values (6) Remarks The complexity of mv-ctl* model checking is the same as the two-valued case The complexity of CTL* model checking is O( K 2 φ ) A combination of LTL and CTL model checking algorithms Due to the construction a counter-example in K is a counter-example in M The approach is helpful as long as we do not care about the exact value If the conditions of theorem 2 are satisfied then the 2 definitions of the predecessor sets coincide for the designated values

31 Syntax The propositional two-valued µ-calculus Semantics

32 mv-µ-calculus Model Checking by Reduction (1) Semantics of mv-µ-calculus in NNF wrt to mv-model M Atomic propositions and mv-transition relation take values over a quasi-boolean algebra B

33 mv-µ-calculus Model Checking by Reduction (2) Assume that the transition relation is 2-valued (denoted by R) Define translation: τ : M = (S, S 0, R, AP +,, B,D) K x = (S, S 0, R, AP +, O x ) For all s S and for some x B a O x (s) iff x a (s) Proposition: Let M be a mv-kripke structure over a finite distributive lattice L, φ an mv-µ-calculus formula in NNF, s in S and x, x in L, then (DφD Kx e)(s) = 1 and x x imply (DφD Kx e)(s) = 1. Proof: Straightforward double induction on the alternation depth and the structure of the formula φ. Main Result (Theorem): Let M be a mv-kripke structure over a finite distributive lattice L, φ an mv-µ-calculus formula in NNF, s in S, then (DφD M ε)(s) = {x J(L) (DφD Kx e)(s) = 1 Proof: Every element of lattice L can be written as a join of join irreducible elements, i.e. (DφD M ε)(s) = {x J(L) x (DφD M ε)(s)

34 mv-µ-calculus Model Checking by Reduction (3) Lemma: Let M be a mv-kripke structure over a finite distributive lattice L, φ an mv-µ-calculus formula in NNF, s in S and x in J(L), then (DφD Kx e)(s) = 1 iff x (DφD M ε)(s). Proof: By induction on the alternation depth n of the formula φ. Let n=0, we proceed by induction on the structure of φ, case φ=a AP + by definition φ=φ 1 φ 2, then Dφ 1 φ 2 D Kx e (s)=1 iff Dφ 1 D Kx e(s)=1 or Dφ 2 D Kx e(s)=1 iff (IH) x Dφ 1 D M ε(s) or x Dφ 2 D M ε (s) iff(*) x = x x Dφ 1 D M ε(s) Dφ 2 D M ε (s) iff x Dφ 1 φ 2 D M ε (s) Consider alternation depth n+1 and proceed by induction on the structure of φ, case φ=µχ.ψ(χ), then DµΧ.ψ(Χ)D Kx e (s)=1 iff s (f Kx,ψ ) S +1 ( ). Also, x DµΧ.ψ(Χ)D M ε (s) iff x (f M,ψ ) S +1 ( ). By IH s (f Kx,ψ ) S +1 ( ) iff x (f M,ψ ) S +1 ( ).

35 mv-µ-calculus Model Checking by Reduction (4) Reduction algorithm for mv-µ-calculus Reduction method for the mv-µ-caclulus calls at most J(L) times the µ-caclulus model checker The running time of the naive µ-caclulus model checking algorithm is: O( φ K S nest(φ) ) 1 ½ 0 Example: The Kripke structure K 1 expresses the pessimistic viewpoint that ½ is false, while K ½ expresses the optimistic viewpoint that both the values 1 and ½ are true. If K 1 satisfies φ then (DφD M ε)(s) = {1, ½ = 1. If K ½ satisfies φ then (DφD M ε)(s)= {½ = ½.

36 CTL Syntax Direct mv-ctl Model Checking (1) Semantics of mv-ctl wrt mv-model M Atomic propositions and mv-transition relation take values over a quasi-boolean algebra B

37 Direct mv-ctl Model Checking (2) mv-ctl symbolic model checking algorithm The running time of the mv-ctl symbolic model checking algorithm is: O( φ S M t L )

38 Direct mv-ctl Model Checking (3) Derived operators Derived fixpoint properties

39 Direct mv-ctl Model Checking (4) s 0 a=tt b=ff TF s 1 FT a=ff b=tf a=ft b=ft TT TT s 2 We want to model check the specification: kegak M We use the fixpoint: kegak = Z.kak B kexzk DaD {s 0 Z 0 {s 0,s 1,s 2 DEX Z 0 D {s 0,s 1,s 2 Z 1 {s 0 { {s 2 { { { { { {s 2 {s 1 { { {s 1 DEX Z 1 D { Z 2 { { {s 0,s 1,s 2 { {s 0,s 2 { {s 1

40 Remarks: Fairness conditions Preserve values of fair paths, set unfair paths to Let fairness conditions {c i then ( s S).(Dc i D K (s) {T, ) A computation is fair if every computation comprising it is fair Direct mv-ctl Model Checking (5) i.e. when we consider composition of different viewpoints DE c G φd K := νz.dφd K B B,i=1 n DEX E[φ U φ Z c k ]D K DE c X φd K :=DEX (φ (E c GT ))D K DE c [φuψ]d K :=DE[φU(ψ (E c GT ))]D K Generation of proof like counter-examples and witnesses

41 mv-model Checking in Practice (1) Reduction methods: just use existing model checkers nusmv, SPIN, CADP, EVALUATOR etc Direct Methods: χ-check: mv-ctl model checker based on symbolic methods An example to compare the two approaches: Case study: the SMV elevator example Single Button Collective Control 1 modified module Button per floor (outside elevator) 1 module Lift (var: floor, door, direction, 1 button per floor) Comparison using the same model checker χ-check Pentium III, 850MHz, 256MB RAM, Linux

42 mv-model Checking in Practice (2) Figure courtesy of M. Chechik et. Al.

43 mv-model Checking in Practice (3) Figures courtesy of M. Chechik et. Al.

44 Conclusions Both reduction and direct approaches to multi-valued model checking have their own advantages The additional expressive power of the mv-models permits the formal verification of problems that could not be handled before One concern: Hard to transfer these methods to industry one has to be well versed to many-valued logics

45 Future Directions Reduction to CTL* using designated values Built proof system mv-ctl symbolic model checker Introduce types for the atomic propositions Extend to mv-ltl model checking Use property patterns Investigate more realistic applications

46 References [1] G. Bruns and P. Godefroid, Model checking with multi-valued logics. Bell Labs, Lucent Technologies, Tech. Rep. ITD H, May [2], Model checking with multi-valued logics. in Proceedings of the 31st International Colloquium on Automata, Languages and Programming (ICALP), ser. Lecture Notes in Computer Science, vol Springer-Verlag, 2004, pp [3] M. Chechik, B. Devereux, S. Easterbrook, and A. Gurfinkel, Multivalued symbolic model-checking, ACM Trans. Softw. Eng. Methodol., vol. 12, no. 4, pp. 1 38, Oct [4] B. Konikowska and W. Penczek, On designated values in multivalued ctl* model checking, Fundamenta Informaticae, vol. 57, pp. 1 14, 2004.

47 Thank you! Questions???