Efficient Model Checking of Safety Properties

Similar documents
Efficient Model Checking of Safety Properties

Timo Latvala. March 7, 2004

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 95

Model Checking of Safety Properties

Büchi Automata and Linear Temporal Logic

A Symbolic Approach to Safety LTL Synthesis

From Liveness to Promptness

SAT-Based Explicit LTL Reasoning

CDS 270 (Fall 09) - Lecture Notes for Assignment 8.

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Lecture 4 Model Checking and Logic Synthesis

Bounded LTL Model Checking with Stable Models

Tecniche di Specifica e di Verifica. Automata-based LTL Model-Checking

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Minimising Deterministic Büchi Automata Precisely using SAT Solving

Automata-Theoretic Verification

Computer-Aided Program Design

Chapter 3: Linear temporal logic

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

Tecniche di Specifica e di Verifica. Automata-based LTL Model-Checking

Techniques to solve computationally hard problems in automata theory

Efficient Monitoring of ω-languages

Linear Temporal Logic and Büchi Automata

A Hierarchy for Accellera s Property Specification Language

Sanjit A. Seshia EECS, UC Berkeley

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

Bounded Model Checking for Weak Alternating Büchi Automata

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction

A Canonical Contraction for Safe Petri Nets

Linear-time Temporal Logic

Deciding Safety and Liveness in TPTL

Weak Alternating Automata Are Not That Weak

The Safety Simple Subset

ENES 489p. Verification and Validation: Logic and Control Synthesis

Antichains: A New Algorithm for Checking Universality of Finite Automata

Revisiting Synthesis of GR(1) Specifications

First-Order vs. Second-Order Encodings for

A Note on the Reduction of Two-Way Automata to One-Way Automata

The theory of regular cost functions.

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

LTL is Closed Under Topological Closure

Lattice Automata. Orna Kupferman and Yoad Lustig

Models for Efficient Timed Verification

An On-the-fly Tableau Construction for a Real-Time Temporal Logic

Mihaela Bobaru (née Gheorghiu)

Overview. overview / 357

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Automata on Infinite words and LTL Model Checking

Simplification of finite automata

Temporal Logic Model Checking

Temporal logics and model checking for fairly correct systems

On the Succinctness of Nondeterminizm

Answer Set Programming and Bounded Model Checking Λ

Approved, Thesis Committee: Professor Moshe Y. Vardi, Chair Karen Ostrum George Professor Department of Computer Science

Timo Latvala. February 4, 2004

Automata-Theoretic LTL Model-Checking

From Liveness to Promptness

Logic Model Checking

LTL Model Checking for Modular Petri Nets

Optimal Bounds in Parametric LTL Games

Antichain Algorithms for Finite Automata

Automatic Synthesis of Distributed Protocols

Decision Procedures for CTL

words) that accepts precisely all the models of the formula. The automatatheoretic approach to model checking ([10,13]) relies on tableau algorithms t

Runtime Verification. Grigore Roşu. University of Illinois at Urbana-Champaign

Completeness and Complexity of Bounded Model Checking

Compositional Reasoning

FROM NONDETERMINISTIC BÜCHI AND STREETT AUTOMATA TO DETERMINISTIC PARITY AUTOMATA

Alternating nonzero automata

SETH FOGARTY AND MOSHE Y. VARDI

Model checking the basic modalities of CTL with Description Logic

Quasi-Weak Cost Automata

a Hebrew University b Weizmann Institute c Rice University

Probabilistic verification and approximation schemes

Synthesis via Sampling-Based Abstractions

RICE UNIVERSITY. Büchi Containment and Size-Change Termination. Seth Fogarty

From MTL to Deterministic Timed Automata

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Specifying and Verifying Systems of Communicating Agents in a Temporal Action Logic

Weak ω-automata. Shaked Flur

Binary Decision Diagrams

Automata-based Verification - III

Fast LTL to Büchi Automata Translation

Generating Deterministic ω-automata for most LTL Formulas by the Breakpoint Construction

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Comparison of LTL to Deterministic Rabin Automata Translators

Introduction. Büchi Automata and Model Checking. Outline. Büchi Automata. The simplest computation model for infinite behaviors is the

Logic in Automatic Verification

The State Explosion Problem

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Alan Bundy. Automated Reasoning LTL Model Checking

Prime Languages, Orna Kupferman, Jonathan Mosheiff. School of Engineering and Computer Science The Hebrew University, Jerusalem, Israel

Model Checking & Program Analysis

Chapter 4: Computation tree logic

arxiv: v1 [cs.sy] 26 Mar 2012

Modal and Temporal Logics

970 JOURNAL OF SOFTWARE, VOL. 9, NO. 4, APRIL Conversion Algorithm of Linear-Time Temporal Logic to Büchi Automata

New Complexity Results for Some Linear Counting Problems Using Minimal Solutions to Linear Diophantine Equations

Monitoring the full range of ω-regular properties of Stochastic Systems

Impartial Anticipation in Runtime-Verification

Transcription:

Efficient Model Checking of Safety Properties Timo Latvala timo.latvala@hut.fi Laboratory for Theoretical Computer Science Helsinki University of Technology Finland Spin 2003 p.1/16

Introduction Safety properties properties with finite counterexamples. Uses: Testing Program monitoring Model Checking Focus: LTL using the automata theoretic approach. Main problem: translating LTL formulas to finite automata. Spin 2003 p.2/16

Why safety properties? Treating safety properties as a special case has certain benefits. Safety properties an important subset. Spin 2003 p.3/16

Why safety properties? Treating safety properties as a special case has certain benefits. Safety properties an important subset. Explicit state model checking algorithms are somewhat simpler. Spin 2003 p.3/16

Why safety properties? Treating safety properties as a special case has certain benefits. Safety properties an important subset. Explicit state model checking algorithms are somewhat simpler. BDD-based algorithms are faster (linear vs quadratic). Spin 2003 p.3/16

Why safety properties? Treating safety properties as a special case has certain benefits. Safety properties an important subset. Explicit state model checking algorithms are somewhat simpler. BDD-based algorithms are faster (linear vs quadratic). For methods such as Petri net unfoldings, safety is much simpler. Spin 2003 p.3/16

Challenges Treating safety as a special case poses some challenges: Deciding if an LTL formula is a safety formula is PSPACE-complete. Spin 2003 p.4/16

Challenges Treating safety as a special case poses some challenges: Deciding if an LTL formula is a safety formula is PSPACE-complete. Translating a safety LTL formula to finite automaton doubly exponential. Spin 2003 p.4/16

Challenges Treating safety as a special case poses some challenges: Deciding if an LTL formula is a safety formula is PSPACE-complete. Translating a safety LTL formula to finite automaton doubly exponential. Non-pathological formulas have a singly exponential translation to finite automata. Spin 2003 p.4/16

Challenges Treating safety as a special case poses some challenges: Deciding if an LTL formula is a safety formula is PSPACE-complete. Translating a safety LTL formula to finite automaton doubly exponential. Non-pathological formulas have a singly exponential translation to finite automata. Deciding if a formula is pathological is PSPACE-complete. Spin 2003 p.4/16

Contributions A new translation algorithm based on an algorithm by Kupferman and Vardi. Spin 2003 p.5/16

Contributions A new translation algorithm based on an algorithm by Kupferman and Vardi. Extensive experimental testing of the implementation. Spin 2003 p.5/16

Contributions A new translation algorithm based on an algorithm by Kupferman and Vardi. Extensive experimental testing of the implementation. First(?) implementation of a algorithm checking if a formula is pathologic. Spin 2003 p.5/16

Contributions A new translation algorithm based on an algorithm by Kupferman and Vardi. Extensive experimental testing of the implementation. First(?) implementation of a algorithm checking if a formula is pathologic. The tool, scheck, can be used with Spin. Spin 2003 p.5/16

Related Work Kupferman and Vardi: Algorithms and complexity results. Spin 2003 p.6/16

Related Work Kupferman and Vardi: Algorithms and complexity results. Geilen: Forward version of KV-algorithm. Spin 2003 p.6/16

Related Work Kupferman and Vardi: Algorithms and complexity results. Geilen: Forward version of KV-algorithm. Berard et al: history variables methods for past TL Spin 2003 p.6/16

Related Work Kupferman and Vardi: Algorithms and complexity results. Geilen: Forward version of KV-algorithm. Berard et al: history variables methods for past TL Havelund and Rosu: model checking past TL for finite executions. Spin 2003 p.6/16

Translation Algorithm The algorithm creates the finite automaton backwards. Spin 2003 p.7/16

Translation Algorithm The algorithm creates the finite automaton backwards. We start from an empty set of requirements and analyse the satisfaction of subformulas. Spin 2003 p.7/16

Translation Algorithm The algorithm creates the finite automaton backwards. We start from an empty set of requirements and analyse the satisfaction of subformulas. We only add states for temporal operators (exception: X). Spin 2003 p.7/16

Translation Algorithm The algorithm creates the finite automaton backwards. We start from an empty set of requirements and analyse the satisfaction of subformulas. We only add states for temporal operators (exception: X). Resulting automaton accepts all informative prefixes. Spin 2003 p.7/16

Checking Pathologic Safety Construct A ψ. Spin 2003 p.8/16

Checking Pathologic Safety Construct A ψ. Construct deterministic finite automaton B ψ. Spin 2003 p.8/16

Checking Pathologic Safety Construct A ψ. Construct deterministic finite automaton B ψ. Interpret B ψ as a Büchi automaton and complement it. Spin 2003 p.8/16

Checking Pathologic Safety Construct A ψ. Construct deterministic finite automaton B ψ. Interpret B ψ as a Büchi automaton and complement it. If L(A ψ B ψ ) then ψ is pathologic. Spin 2003 p.8/16

Implementation The implementation uses BDDs to manage sets. Spin 2003 p.9/16

Implementation The implementation uses BDDs to manage sets. Produces deterministic or non-deterministic automata. Spin 2003 p.9/16

Implementation The implementation uses BDDs to manage sets. Produces deterministic or non-deterministic automata. Can be connected to Spin. Spin 2003 p.9/16

Implementation The implementation uses BDDs to manage sets. Produces deterministic or non-deterministic automata. Can be connected to Spin. Freely available licensed under the GNU GPL. Spin 2003 p.9/16

Experiments Randomly generated syntactically safe formulas Spin 2003 p.10/16

Experiments Randomly generated syntactically safe formulas Randomly generated formulas. Spin 2003 p.10/16

Experiments Randomly generated syntactically safe formulas Randomly generated formulas. Safety formulas from the specification pattern system. Spin 2003 p.10/16

Experiments Randomly generated syntactically safe formulas Randomly generated formulas. Safety formulas from the specification pattern system. Model checking tests with Spin. Spin 2003 p.10/16

Syntactically Safe Formulas State ratio 1.4 1.2 1 0.8 0.6 0.4 lbt spin ltl2ba Transition ratio 1.4 1.2 1 0.8 0.6 0.4 lbt spin ltl2ba Time ratio 7 6 5 4 3 2 lbt spin 0.2 0.2 1 0 0 10 20 30 Formula length 0 0 10 20 30 Formula length 0 5 10 15 Formula length Time ratio 250 200 150 100 50 ltl2ba Productstate ratio 1.4 1.2 1 0.8 0.6 0.4 0.2 lbt spin ltl2ba Producttransition ratio 1 0.8 0.6 0.4 0.2 lbt spin ltl2ba 0 0 10 20 30 Formula length 0 0 10 20 30 Formula length 0 0 10 20 30 Formula length Spin 2003 p.11/16

General Formulas 1.6 1.4 1.2 Average generation time [s] 1 0.8 0.6 0.4 0.2 4 6 8 10 12 14 16 18 20 22 Formula length Spin 2003 p.12/16

Specification Pattern Formulas 14 scheck states ltl2ba states 45 40 scheck arcs ltl2ba arcs 12 35 10 30 States or arcs 8 States or arcs 25 20 6 15 10 4 5 2 0 10 20 30 40 0 0 10 20 30 40 states arcs time [s] product states product arcs ltl2ba 160 348 0.5 3037 15406 lbt 1915 31821 1.2 25134 763203 scheck 144 316 2.1 2481 9806 Spin 2003 p.13/16

Practical Models model scheck spin states arcs t [s] states arcs t [s] peterson(3) 17476 32343 0.06 21792 45870 0.09 peterson(4) 3254110 709846 20.8 4216030 10315000 37.3 sliding(1,1) 130799 407238 0.9 258456 890026 2.2 sliding(1,2) 518050 1670120 3.9 1027130 3604660 9.8 sliding(2,1) 5447700 18271400 534.7 10794100 39649800 1097.4 erathostenes(50,1) 522 522 0.03 522 522 0.03 erathostenes(60,2) 324 324 0.02 357958 647081 4.0 erathostenes(70,3) 522 522 0.04 2047030 4407400 48.5 erathostenes(80,4) 789 789 0.04 - - - erathostenes(80,5) 847 847 0.04 - - - iprot 7095180 20595400 377.0 16011900 46288600 1006.2 giop 146646 215640 1.8 255105 524493 4.8 Spin 2003 p.14/16

Practical Models model scheck ltl2ba states arcs t [s] states arcs t [s] peterson(3) 17476 32343 0.06 21792 45870 0.09 peterson(4) 3254110 709846 20.8 4216030 10315000 37.5 sliding(1,1) 130799 407238 0.09 258432 890386 2.2 sliding(1,2) 518050 1670120 3.9 1027120 3604410 9.8 sliding(2,1) 5447700 18271400 534.7 10794000 39645700 1097.6 erathostenes(50,1) 522 522 0.03 678 678 0.03 erathostenes(60,2) 324 324 0.02 794322 1319710 8.4 erathostenes(70,3) 522 522 0.04 3110700 6474410 76.6 erathostenes(80,4) 789 789 0.04 - - - erathostenes(80,5) 847 847 0.04 - - - iprot 7095180 20595400 377.0 16011900 46288600 1003.7 giop 146646 215640 1.8 255105 524493 4.6 Spin 2003 p.15/16

Conclusions scheck produces smaller automata is most cases. Spin 2003 p.16/16

Conclusions scheck produces smaller automata is most cases. Especially when debugging safety properties, the gain can be significant Spin 2003 p.16/16

Conclusions scheck produces smaller automata is most cases. Especially when debugging safety properties, the gain can be significant A model checker can gain by analysing the formula. Spin 2003 p.16/16

Conclusions scheck produces smaller automata is most cases. Especially when debugging safety properties, the gain can be significant A model checker can gain by analysing the formula. Using BDDs probably a bad design choice. Spin 2003 p.16/16

Conclusions scheck produces smaller automata is most cases. Especially when debugging safety properties, the gain can be significant A model checker can gain by analysing the formula. Using BDDs probably a bad design choice. scheck is available from www.tcs.hut.fi/~timo/scheck. Spin 2003 p.16/16

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback