Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety...
-
date post
20-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety...
Model Checking
Lecture 4
Outline
1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness
2 Graph algorithms for model checking
3 Symbolic algorithms for model checking
4 Pushdown systems
Model-checking problem
I |= S
system model: state-transition graph
system property: -safety v. weak v. strong fairness -logic v. spec v. monitor automata -linear v. branching
Model-Checking Algorithms = Graph Algorithms
Graph Algorithms
Given: labeled graph (Q, , A, [ ] )
Cost: each node access and edge access has unit cost
Complexity: in terms of
|Q| = n ... number of nodes
|| = m ... number of edges
Reachability and s.c.c.s: O(m+n)
The Graph-Algorithmic View is Problematic
-The graph is given implicitly (by a program) not explicitly (e.g., by adjacency lists).
-Building an explicit graph representation is exponential, but usually unnecessary (“on-the-fly” algorithms).
-The explicit graph representation may be so big, that the “unit-cost model” is not realistic.
-A class of algorithms, called “symbolic algorithms”, do not operate on nodes and edges at all.
Symbolic Model-Checking Algorithms
Given: a “symbolic theory”, that is, an abstract data type called region with the following operations:
pre, pre, post, post : region region
, , \ : region region region
, = : region region bool
< >, > < : A region
, Q : region
Intended Meaning of Symbolic Theories
region ... set of states
, , \, , =, ... set operations
<a> = { q Q | [q] = a }
>a< = { q Q | [q] a }
pre (R) = { q Q | ( r R) q r }
pre (R) = { q Q | ( r)( q r r R )}
post (R) = { q Q | ( r R) r q }
post (R) = { q Q | ( r)( r q r R )}
If the state of a system is given by variables of type Vals, and the transitions of the system can be described by operations Ops on Vals, then the first-order theory FO (Vals, Ops) is an adequate symbolic theory:
region ... formula of FO (Vals, Ops)
, , \, , =, , Q... , , , , , f, t
pre (R(X)) = ( X’)( Trans(X,X’) R(X’) )
pre (R(X)) = ( X’)( Trans(X,X’) R(X’) )
post (R(X)) = ( X”)( R(X”) Trans(X”,X) )
post (R(X)) = ( X”)( Trans(X”,X) R(X’’) )
If FO (Vals, Ops) admits quantifier elimination, then the propositional theory ZO (Vals, Ops) is an adequate symbolic theory:
each pre/post operation is a quantifier elimination
Example: Boolean Systems
-all system variables X are boolean
-region: quantifier-free boolean formula over X
-pre, post: boolean quantifier elimination
Complexity: PSPACE
Example: Presburger Systems
-all system variables X are integers
-the transition relation Trans(X,X’) is defined using only and
-region: quantifier-free formula of (Z, , )
-pre, post: quantifier elimination
An iterative language for writing symbolic model-checking algorithms
-only data type is region
-expressions: pre, post, , , \ , , =, < >, , Q
-assignment, sequencing, while-do, if-then-else
Example: Reachability a
S :=
R := <a>
while R S do
S := S R
R := pre(R)
A recursive language for writing symbolic model-checking algorithms:
The Mu-Calculus
a = ( R) (a pre(R))
a = ( R) (a pre(R))
Syntax of the Mu-Calculus
::= a | a |
| |
pre() | pre() |
(R) | (R) |
R
pre =
pre = R ... region variable
Semantics of the Mu-Calculus
[[ a ]]E := <a>
[[ a ]]E := >a<
[[ ]]E := [[ ]]E [[ ]]E
[[ ]]E := [[ ]]E [[ ]]E
[[ pre() ]]E := pre( [[ ]]E )
[[ pre() ]]E:= pre( [[ ]]E )
E maps each region variable to a region.
Operational Semantics of the Mu-Calculus
[[ (R) ]]E := S’ := ; repeat S := S’; S’ := [[]]E(RS)
until S’=S; return S
[[ (R) ]]E := S’ := Q; repeat S := S’; S’ := [[]]E(RS)
until S’=S; return S
Denotational Semantics of the Mu-Calculus
[[ (R) ]]E := smallest region S such that S = [[]]E(RS)
[[ (R) ]]E := largest region S such that S = [[]]E(RS)
These regions are unique because all operators on regions (, , pre, pre) are monotonic.
a = ( R) (a pre(R))
a = ( R) (a pre(R))
a = ( R) (a pre(R))
a = ( R) (a pre(R))
b U a = ( R) (a (b pre(R)))
a = ( R) (a pre(R)) = ( R) ( S) ((a pre(R)) pre(S))
-every / alternation adds expressiveness
-all omega-regular languages in alternation depth 2
-model checking complexity: O( (|| (m+n))d ) for formulas of alternation depth d
-most common implementation (SMV, Mocha): use BDDs to represent boolean regions
Binary Decision Diagrams
-canonical data structure for representing quantifier-free boolean formulas
-equivalence checking in constant time
-in practice, model checkers spend more than 90% of their time in “pre-image” or “post-image” computation
-almost synonymous with “symbolic” model checking
-SAT solvers superior in bounded model checking, which requires no termination (i.e., equivalence) check
Binary Decision Tree
-order k boolean variables x1, ..., xk
-binary tree of height k+1, each leaf labeled 0 or 1
-leaf of path “left, right, right, ...” gives value of boolean formula if x1=0, x2=1, x3=1, etc.
Truth Table Decision Tree
– Vertex represents decision– Follow green (dashed) line for value 0– Follow red (solid) line for value 1– Function value determined by leaf value– Along each path, variables occur in the variable order– Along each path, a variable occurs exactly once
0 0
x3
0 1
x3
x2
0 1
x3
0 1
x3
x2
x100001111
00110011
01010101
00010101
x1 x2 x3 f
(Reduced Ordered) Binary Decision Diagram
1 Identify isomorphic subtrees (this gives a dag)
2 Eliminate nodes with identical left and right successors
3 Eliminate redundant testsFor a given boolean formula and variable order, the result is unique.
(The choice of variable order may make an exponential difference!)
Merge equivalent leaves
a a
0 0
x3
0 1
x3
x2
0 1
x3
0 1
x3
x2
x1
x3 x3
x2
x3
0 1
x3
x2
x1
a
Reduction rule #1
y
x
z
x
Merge isomorphic nodes
x3 x3
x2
x3
0 1
x3
x2
x1
x3
x2
0 1
x3
x2
x1
y
x
z
x
y
x
z
x
Reduction rule #2
x3
x2
0 1
x3
x2
x1
Eliminate redundant tests
y
x
y
x2
0 1
x3
x1
Reduction rule #3
Initial graph
Reduced graph
• Canonical representation of Boolean function
• For given variable ordering, two functions equivalent if and only if their graphs are isomorphic
• Test in linear time
x2
0 1
x3
x1
0 0
x3
0 1
x3
x2
0 1
x3
0 1
x3
x2
x1(x1 x2) x3
Constants
Unique unsatisfiable function
Unique tautology1
0
Variable
Treat variableas function
0 1
x
Odd parity
Linearrepresentation
x2
x3
x4
10
x4
x3
x2
x1
Typical function
x2
0 1
x4
x1 (x1 x2) x3
No vertex labeled x3
independent of x3
Many subgraphs shared
Examples
Good ordering Bad ordering
Linear growth
0
b3
a3
b2
a2
1
b1
a1
Exponential growth
a3 a3
a2
b1 b1
a3
b2
b1
0
b3
b2
1
b1
a3
a2
a1
Effect of variable ordering(a1 b1) (a2 b2) (a3 b3)
Bit-serial computer analogy
• Operation– Read inputs in sequence; produce 0 or 1 as function
value.– Store information about previous inputs to correctly
deduce function value from remaining inputs.
• Relation to BDD Size– Processor requires K bits of memory at step i.– BDD has ~2K branches crossing level i.
K-BitMemory
Bit-SerialProcessor
0or1
00…0x1x2…xn
K = 2 K = n
0
b3
a3
b2
a2
1
b1
a1
a3 a3
a2
b1 b1
a3
b2
b1
0
b3
b2
1
b1
a3
a2
a1
(a1 b1) (a2 b2) (a3 b3)
Good ordering Bad ordering
Dynamic variable reordering
• Invented by Richard Rudell, Synopsys
• Periodically attempt to improve ordering for all BDDs– Part of garbage collection– Move each variable through ordering
to find its best location
• Has proved very successful
•••
•••
Lower bound for multiplication (Bryant 1991)
• Integer multiplier circuit– n-bit input words A and B– 2n-bit output word P
• Boolean function– Middle bit (n-1) of product
• Complexity– Exponential BDD for all
possible variable orderings
Multn
•••
•••
a0
an-1b0
bn-1
p0
pn-1pn
p2n-1
Actual Numbers 40,563,945 BDD nodes to
represent all outputs of 16-bit multiplier
Grows 2.86x per bit of word size
IntractableFunction
BDD operations , , , ,
x
n
a b
n.var = xn.false = an.true = b
BDD node
- BDD manager maintains a directed acyclic graph of BDD nodes- ite(x,a,b) returns a node with variable x, left child a, and right child b.
if (a = false b = false) return falseif (a = true) return bif (b = true) return aif (a = b) return aif (a.var < b.var) return ite(a.var, and(a.false,b), and(a.true,b))if (b.var < a.var) return ite(b.var, and(a,b.false), and(a,b.true))// a.var = b.varreturn ite(a.var, and(a.false,b.false), and(a.true,b.true))
and(a,b)
Complexity: O(|a| |b|)
not(a)
if (a = true) return falseif (a = false) return truereturn ite(a.var, not(a.false), not(a.true))
Complexity: O(|a|)
cofactor(a,x,b)
if (x < a.var) return aif (x > a.var) return ite(a.var, cofactor(a.false,x,b), cofactor(a.true,x,b))// x = a.varif (b) return a.trueelse return a.false
Complexity: O(|a|)
Operations returning BDD:or(a,b) not(and(not(a),not(b)))exists(a,x) or(cofactor(a,x,false), cofactor(a,x,true))forall(a,x) and(cofactor(a,x,false), cofactor(a,x,true))
Derived operations
Operations returning boolean:implies(a,b) (or(not(a),b) = true)iff(a,b) (a = b)
substitute(a,x,y)
Assumptions- a is independent of y- x and y are adjacent in variable order
if (a = true a = false) return aif (a.var > x) return aif (a.var < x) return ite(a.var, substitute(a.false,x,y), substitute(a.true,x,y))if (a.var = x) return ite(y,a.false,a.true)
Symbolic reachability analysis with BDDs
Vector of state variables: X = (x1,…,xn)Init predicate: I(X)Transition relation: T(X,X’)Error predicate: E(X)
R(X) = I(X)do { S(X) = R(X) R(X’) = exists(and(S(X),T(X,X’)), X) R(X) = substitute(R(X’),X’,X) R(X) = or(R(X),S(X))} while (R S)
Invariant: For each xi, xi and xi’ are adjacent in variable order