Thorough Checking Revisited

Similar documents
Thorough Checking Revisited

3-Valued Abstraction-Refinement

Temporal Logic Model Checking

How Vacuous is Vacuous?

Model Checking via Automatic Abstraction

LTL Generalized Model Checking Revisited

Chapter 6: Computation Tree Logic

Abstraction for Falsification

How Vacuous Is Vacuous?

Description Logics. Deduction in Propositional Logic. franconi. Enrico Franconi

An Introduction to Multi-Valued Model Checking

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

A 3 Valued Contraction Model Checking Game: Deciding on the World of Partial Information

Multi-Valued Symbolic Model-Checking

Model for reactive systems/software

Model Checking with CTL. Presented by Jason Simas

Linear Temporal Logic (LTL)

Modal and Temporal Logics

Model checking (III)

Overview. overview / 357

Computation Tree Logic

Decision Procedures for CTL

Exploiting resolution proofs to speed up LTL vacuity detection for BMC

Mathematics for linguists

Model Checking: An Introduction

Alan Bundy. Automated Reasoning LTL Model Checking

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

CS357: CTL Model Checking (two lectures worth) David Dill

Model Checking Fixed Point Logic with Chop

Lecture 9 Synthesis of Reactive Control Protocols

Decision Procedures for CTL

Theoretical Foundations of the UML

Lecture 16: Computation Tree Logic (CTL)

Semantics and Pragmatics of NLP

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Counterexample-Driven Model Checking

Computation Tree Logic (CTL)

Model-Checking Games: from CTL to ATL

LTL and CTL. Lecture Notes by Dhananjay Raju

Propositional and Predicate Logic - V

Local Model Checking Games for Fixed Point Logic with Chop

MODEL CHECKING. Arie Gurfinkel

A Tableau Proof System with Names for Modal Mu-calculus

From Liveness to Promptness

Lattice Automata. Orna Kupferman and Yoad Lustig

Mihaela Bobaru (née Gheorghiu)

Natural Deduction for Propositional Logic

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

A Tableau-Based Decision Procedure for Right Propositional Neighborhood Logic (RPNL )

A tableau-based decision procedure for a branching-time interval temporal logic

Model Checking in the Propositional µ-calculus

Model Checking & Program Analysis

Ranked Predicate Abstraction for Branching Time. Complete, Incremental, and Precise

May/Must Abstraction-Based Software Model Checking For Sound Verification and Falsification

Deciding the First Levels of the Modal µ Alternation Hierarchy by Formula Construction

Lecture 10: Gentzen Systems to Refinement Logic CS 4860 Spring 2009 Thursday, February 19, 2009

A Propositional Dynamic Logic for Instantial Neighborhood Semantics

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Course Runtime Verification

Alternating-Time Temporal Logic

Chapter 5: Linear Temporal Logic

Logic: First Order Logic

a Hebrew University b Weizmann Institute c Rice University

Partial model checking via abstract interpretation

Model checking the basic modalities of CTL with Description Logic

arxiv: v1 [cs.lo] 26 Nov 2018

Lectures on the modal µ-calculus

Modal Logic XIII. Yanjing Wang

Graded Computation Tree Logic

Reasoning about Strategies: From module checking to strategy logic

Tecniche di Verifica. Introduction to Propositional Logic

Automata, Logic and Games: Theory and Application

Model Checking Algorithms

PROPOSITIONAL LOGIC. VL Logik: WS 2018/19

Reasoning about Time and Reliability

EAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Přednáška 12. Důkazové kalkuly Kalkul Hilbertova typu. 11/29/2006 Hilbertův kalkul 1

ESE601: Hybrid Systems. Introduction to verification

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

SVEN SCHEWE Universität des Saarlandes, Fachrichtung Informatik, Saarbrücken, Germany

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Topics in Verification AZADEH FARZAN FALL 2017

Reducing CTL-live Model Checking to Semantic Entailment in First-Order Logic (Version 1)

Algorithmic Reasoning about Böhm Trees

Modal logics: an introduction

Neighborhood Semantics for Modal Logic Lecture 5

Applied Automata Theory

A Game-Theoretic Decision Procedure for the Constructive Description Logic calc

Computation Tree Logic

A brief introduction to Logic. (slides from

Complexity Issues in Automated Addition of Time-Bounded Liveness Properties 1

Analyzing Multiple Logs for Forensic Evidence

3 Propositional Logic

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Comparing LTL Semantics for Runtime Verification

Model Checking of Safety Properties

Decision Procedures for Satisfiability and Validity in Propositional Logic

Propositional logic. First order logic. Alexander Clark. Autumn 2014

Transcription:

Thorough Checking Revisited Shiva Nejati Mihaela Gheorghiu Marsha Chechik {shiva,mg,chechik}@cs.toronto.edu University of Toronto 1

Automated Abstraction SW/HW Artifact Correctness Property Model Extraction Translation Finite Abstract Model Temporal Logic Inconclusive Answer Model-Checker Conclusive Answer 2

3-Valued Abstraction Partial Models Universal + Existential Properties Maybe Model-Checker Yes/No 3

3-Valued Abstraction Partial Models PKS [BG00] MixedTS [DGG97] HTS [SG04] [LX90] Universal + Existential Properties Maybe Model-Checker Yes/No 3

3-Valued Abstraction Partial Models PKS [BG00] MixedTS [DGG97] HTS [SG04] [LX90] Universal + Existential Properties Maybe Model-Checker Yes/No Compositional Semantics Thorough Semantics [Bruns & Godefroid 00] 3

3-Valued Semantics: Example P: int x, y = 1, 1; int t; x, y = t, t+1; x, y = 1, 1; M: odd(x) odd(y) odd(x)? odd(y)? odd(x) odd(y) Property : Compositional Semantics Thorough Semantics AG(odd(y)) A[odd(x) U odd(y)] 4

3-Valued Semantics: Example P: int x, y = 1, 1; int t; x, y = t, t+1; x, y = 1, 1; M: odd(x) odd(y) odd(x)? odd(y)? odd(x) odd(y) Property : Compositional Semantics Thorough Semantics AG(odd(y)) A[odd(x) U odd(y)] AG(odd(y)) A[odd(x) U odd(y)] 4

3-Valued Semantics: Example P: int x, y = 1, 1; int t; x, y = t, t+1; x, y = 1, 1; M: odd(x) odd(y) odd(x)? odd(y)? odd(x) odd(y) Property : Compositional Semantics Thorough Semantics AG(odd(y)) A[odd(x) U odd(y)] Maybe A[odd(x) U odd(y)] 4

3-Valued Semantics: Example P: int x, y = 1, 1; int t; x, y = t, t+1; x, y = 1, 1; M: odd(x) odd(y) odd(x)? odd(y)? odd(x) odd(y) Property : Compositional Semantics Thorough Semantics AG(odd(y)) A[odd(x) U odd(y)] Maybe Maybe 4

3-Valued Semantics: Example P: int x, y = 1, 1; int t; x, y = t, t+1; x, y = 1, 1; M: odd(x) odd(y) odd(x)? odd(y)? odd(x) odd(y) Property : Compositional Semantics Thorough Semantics AG(odd(y)) A[odd(x) U odd(y)] Maybe 4

3-Valued Semantics: Example P: int x, y = 1, 1; int t; x, y = t, t+1; x, y = 1, 1; M: odd(x) odd(y) odd(x)? odd(y)? odd(x) odd(y) One concretization odd(x) odd(y) odd(x) odd(y) odd(x) odd(y) odd(x) odd(y) Property : odd(x) odd(y) AG(odd(y)) A[odd(x) U odd(y)] odd(x) odd(y) Compositional Semantics Thorough Semantics Maybe AG(odd(y)) A[odd(x) U odd(y)] False over all Concretizations of M 4

3-Valued Semantics: Example P: int x, y = 1, 1; int t; x, y = t, t+1; x, y = 1, 1; M: odd(x) odd(y) odd(x)? odd(y)? odd(x) odd(y) One concretization odd(x) odd(y) odd(x) odd(y) odd(x) odd(y) odd(x) odd(y) Property : odd(x) odd(y) AG(odd(y)) A[odd(x) U odd(y)] odd(x) odd(y) Compositional Semantics Thorough Semantics Maybe False 4

Compositional vs Thorough Partial Models Universal + Existential Properties Maybe Model-Checker Yes/No Compositional Semantics Computationally cheap Less precise (more maybe s) Various implementations Thorough Semantics Computationally expensive More precise (less maybe s) No implementation Need to increase conclusiveness while avoiding too much overhead 5

Implementing Thorough via Compositional Identify formulas where compositional = thorough Self-minimizing formulas [Godefroid & Huth 05] E.g. AG(odd(y)) Transform other formulas into equivalent self-minimizing ones Semantic minimization [Reps et. al. 02] E.g. AG(odd(y)) A[odd(x) U odd(y)] = A[(odd(x) odd(y)) U False] (Self-minimizing) 6

Thorough Checking Algorithm ThoroughCheck(M, ϕ) (1): if (v := ModelCheck(M, ϕ)) Maybe return v (2): if IsSelfMinimizing(M, ϕ) return Maybe (3): return ModelCheck(M, SemanticMinimization(ϕ)) 7

Thorough Checking Algorithm ThoroughCheck(M, ϕ) (1): if (v := ModelCheck(M, ϕ)) Maybe return v (2): if IsSelfMinimizing(M, ϕ) return Maybe (3): return ModelCheck(M, SemanticMinimization(ϕ)) 7

Our Goal ThoroughCheck(M, ϕ) (1): if (v := ModelCheck(M, ϕ)) Maybe return v (2): if IsSelfMinimizing(M, ϕ) return Maybe (3): return ModelCheck(M, SemanticMinimization(ϕ)) Step (2): Identifying a large class of self-minimizing formulas Step (3): Devising practical algorithms for semantic minimization of remaining formulas 7

Our Contributions 1.We prove that disjunctive/conjunctive μ- calculus formulas are self-minimizing Related Work: [Gurfinkel & Chechik 05] [Godefroid & Huth 05] checking pure polarity Only works for PKSs, not for all partial models 2.We provide a semantic minimization algorithm via the tableau-based translation of [Janin & Walukiewicz 95] Related Work: [Godefroid & Huth 05]: μ-calculus is closed under semantic-minimization But no implementable algorithm 8

Main Idea Thorough checking can be as hard as satisfiability checking Satisfiability checking is linear for disjunctive μ-calculus Then, can we show that disjunctive μ-calculus is self-minimizing? But, a naive inductive proof does not work for the greatest fixpoint formulas [Godefroid & Huth 05] Our proof uses an automata characterization of thorough checking reducing checking self-minimization to deciding an automata intersection game 9

Outline Need for thorough checking Thorough via compositional Main Result: Disjunctive/Conjunctive μ- calculus is self-minimizing Intuition Background Proof Our thorough checking algorithm Conclusion and future work 10

Background Disjunctive μ-calculus [Janin and Walukiewicz 95] Conjunctions are restricted (special conjunctions) Examples ϕ 1 = EXp EX q AX(p q) ϕ 2 = AX(p q) ϕ 3 = AXp AXq Syntax ϕ ::= p p Z ϕ ϕ p ψ Γ EXψ AX ψ Γ ψ ν(z) ϕ(z) µ(z) ϕ(z) Conjunctive μ-calculus is dual Disjunctive μ-calculus is equal to μ-calculus 11

Background: Abstraction as Automata [Dams & Namjoshi 05] Formulas = automata, abstract models = automata Model Checking Model M satisfies formula φ Refinement Checking Model M abstracts model M We use μ-automata [Janin & Walukiewicz 95] Similar to non-deterministic tree automata But no fixed branching degree no ordering over successors L(A M ) L(A ϕ ) L(A M ) L(A M ) 12

Self-minimization and Automata A formula φ is self-minimizing if 1.For every abstract model M over which φ is non-false (true or maybe) there is a completion of M satisfying φ 2.For every abstract model M over which φ is non-true (false or maybe) there is a completion of M refuting φ 13

Self-minimization and Automata A formula φ is self-minimizing if 1.For every abstract model M over which φ is non-false (true or maybe) L(A M ) L(A ϕ ) 2.For every abstract model M over which φ is non-true (false or maybe) there is a completion of M refuting φ 13

Self-minimization and Automata A formula φ is self-minimizing if 1.For every abstract model M over which φ is non-false (true or maybe) L(A M ) L(A ϕ ) 2.For every abstract model M over which φ is non-true (false or maybe) L(A M ) L(A ϕ ) 13

Self-minimization and Automata A formula φ is self-minimizing if 1.For every abstract model M over which φ is non-false (true or maybe) L(A M ) L(A ϕ ) 2.For every abstract model M over which φ is non-true (false or maybe) L(A M ) L(A ϕ ) Existing partial model formalisms can be translated to μ-automata There exists a linear syntactic translation from disjunctive μ-calculus to μ-automata [Janin & Walukiewicz 95] 13

Outline Need for thorough checking Thorough via compositional Main Result: Disjunctive/Conjunctive μ- calculus is self-minimizing Intuition Background Proof Our thorough checking algorithm Conclusion and future work 14

Main Result Let φ be a disjunctive formula. Show: for every abstract model M over which φ is non-false L(A M ) L(A ϕ ) The case for conjunctive φ is dual Proof Steps: 1. Translate models and formulas to μ-automata 2.Find a winning strategy for an intersection game between and (by structural induction) A M A ϕ 15

Show that AGp is self-minimizing i.e., M over which φ is non-false L(A M ) L(A AGP ) Choose (d) M Illustrating the Proof s 0 p q AGp s 1 p s 2 q q p s 3 p q 16

Show that AGp is self-minimizing i.e., M over which φ is non-false L(A M ) L(A AGP ) (d) M 1.Translate models and formulas to μ-automata Choose Illustrating the Proof s 0 p q AGp s 1 p s 2 q q p s 3 p q 16

Illustrating the Proof Show that AGp is self-minimizing i.e., M over which φ is non-false L(A M ) L(A AGP ) 1.Translate models and formulas to μ-automata A M AGp 16

Illustrating the Proof Show that AGp is self-minimizing i.e., M over which φ is non-false L(A M ) L(A AGP ) 1.Translate models and formulas to μ-automata A M A AGp 16

Illustrating the Proof Show that AGp is self-minimizing i.e., M over which φ is non-false L(A M ) L(A AGP ) 2. Find a winning strategy for an intersection game A M A AGp 16

Illustrating the Proof Show that AGp is self-minimizing i.e., M over which φ is non-false L(A M ) L(A AGP ) 2. Find a winning strategy for an intersection game A M A AGp 16

Illustrating the Proof Show that AGp is self-minimizing i.e., M over which φ is non-false L(A M ) L(A AGP ) 2. Find a winning strategy for an intersection game A M A AGp Proof by structural induction (see the paper) 16

Proof Steps: 1. Translate models and formulas to μ-automata 2.Find a winning strategy for an intersection game In conclusion: Main Result Disjunctive/conjunctive μ-calculus formulas are selfminimizing Every μ-calculus formula can be translated to its disjunctive/conjunctive form 17

Outline Need for thorough checking Thorough via compositional Main Result: Disjunctive/Conjunctive μ- calculus is self-minimizing Intuition Background proof Our thorough checking algorithm Conclusion and future work 18

Thorough Checking Algorithm ThoroughCheck(M, ϕ) (1): if (v := ModelCheck(M, ϕ)) Maybe return v (2): if IsSelfMinimizing(M, ϕ) return Maybe (3): return ModelCheck(M, SemanticMinimization(ϕ)) 19

Self-Minimization IsSelfMinimizing(M, ϕ) (i) if M is a PKS or an MixTS and ϕ is monotone return true (ii) if M is an HTS and ϕ is disjunctive return true (iii) return false Example Property over PKSs and MixTSs violates condition (i) HTSs violates condition (ii) Thus, AGq A[p U q] AGq A[p U q] is not self-minimizing 19

Semantic Minimization SemanticMinimization(ϕ) (i) convert ϕ to its disjunctive form ϕ (ii) replace all special conjunctions in ϕ containing p and p with False (iii) return ϕ Example: semantic minimization of Step (i) Step (ii) AGq A[p U q] AGq A[p U q] (i) A[p q U q q AXAGq] A[p q U q q AXAGq] (ii) A[p q U False] 19

Step (1) Complexity ThoroughCheck(M, ϕ) (1): if (v := ModelCheck(M, ϕ)) Maybe return v (2): if IsSelfMinimizing(M, ϕ) return Maybe (3): return ModelCheck(M, SemanticMinimization(ϕ)) Model checking μ-calculus formulas Step (2) O(( ϕ M ) d/2 +1 ) Self-minimization check is linear in the size of formulas Step (3) Semantic minimization O((2 O( ϕ ) M ) d/2 +1 ) 20

Conclusion Studied thorough checking over partial models An automata-based characterization for thorough checking Simple and syntactic self-minimization checks Grammars for identifying self-minimizing formulas in CTL A semantic-minimization procedure 21

Future Work Studying the classes of formulas for which thorough checking is cheap linear in the size of models Identifying commonly used formulas in practice that are self-minimizing 22

Thank You! Questions? 23

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback