comp4600 advanced algorithms algorithms for verification
play

COMP4600 Advanced algorithms: Algorithms for verification (3 - PowerPoint PPT Presentation

Jun 20, 2023 •148 likes •1.77k views

Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking COMP4600 Advanced algorithms: Algorithms for verification (3 lectures) Andreas Bauer NICTA Software Systems Research Group & The

  1. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Linear-time temporal logic Some more useful LTL operators and shortcuts (syntactic “sugar”): true = p ∨ ¬ p false = ¬ true ϕ ∨ ψ = ¬ ( ¬ ϕ ∧ ¬ ψ ) ϕ → ψ = ¬ ϕ ∨ ψ ϕ ↔ ψ = ( ϕ → ψ ) ∧ ( ψ → ϕ ) F ϕ = true U ϕ (“eventually ϕ ”) G ϕ = ¬ F ¬ ϕ (“always ϕ ”) ϕ R ψ = ¬ ( ¬ ϕ U ¬ ψ ) (“release ψ when ϕ becomes true”) Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 14 / 83

  2. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Linear-time temporal logic Some LTL specifications: Invariants: G ¬ ( crit 1 ∧ crit 2 ) (mutual exclusion) G ( preset 1 ∨ . . . ∨ preset n ) (deadlock freedom) Response, recurrence: G ( try 1 → F crit 1 ) (eventual access to critical section) GF ¬ crit 1 (no starvation in critical section) Strong fairness: GF ( try 1 ∧ ¬ crit 2 ) → GF crit 1 (strong fairness) Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 15 / 83

  3. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL model checking Is the following decision problem: Input : Kripke structure M , LTL formula ϕ . Question : Does L ( M ) ⊆ L ( ϕ ) hold (sometimes written as M | = ϕ )? Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 16 / 83

  4. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL model checking Is the following decision problem: Input : Kripke structure M , LTL formula ϕ . Question : Does L ( M ) ⊆ L ( ϕ ) hold (sometimes written as M | = ϕ )? Example: Microwave oven L ( M ) ⊆ L ( G ( Heat → Close )) Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 16 / 83

  5. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL model checking Key ideas: L ( M ) ⊆ L ( ϕ ) ⇔ L ( M ) ∩ L ( ¬ ϕ ) = ∅ If L ( M ) ∩ L ( ¬ ϕ ) � = ∅ , we have a counterexample. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 17 / 83

  6. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL model checking Key ideas: L ( M ) ⊆ L ( ϕ ) ⇔ L ( M ) ∩ L ( ¬ ϕ ) = ∅ If L ( M ) ∩ L ( ¬ ϕ ) � = ∅ , we have a counterexample. How do we test if L ( M ) ∩ L ( ¬ ϕ ) = ∅ ? Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 17 / 83

  7. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL model checking Theorem For every ϕ ∈ LTL, there exists an ω -automaton, A , s.t., L ( A ) = L ( ϕ ) . Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 18 / 83

  8. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL model checking Theorem For every ϕ ∈ LTL, there exists an ω -automaton, A , s.t., L ( A ) = L ( ϕ ) . Corollary We can solve the LTL model checking problem by testing if L ( M × A ¬ ϕ ) = ∅ . Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 18 / 83

  9. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL model checking Theorem For every ϕ ∈ LTL, there exists an ω -automaton, A , s.t., L ( A ) = L ( ϕ ) . Corollary We can solve the LTL model checking problem by testing if L ( M × A ¬ ϕ ) = ∅ . Note that, M × A ¬ ϕ is normally too big to be explicitly computed (but we disregard that fact for now). Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 18 / 83

  10. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL model checking— ω -automata Definition An ω -automaton is a five-tuple A = (Σ , Q , Q 0 , δ, F ) where Σ is the input alphabet, Q a finite set of states, Q 0 ⊆ Q a distinguished set of initial states, δ : Q → 2 Q a transition relation, and F an acceptance condition. A run ρ of A over a word w ∈ Σ ω is a mapping N 0 → Q s.t. ρ (0) ∈ Q 0 , and ρ ( i + 1) ∈ δ ( ρ ( i ) , w ( i )) for all i ∈ N 0 . Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 19 / 83

  11. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL model checking— ω -automata Generalised B¨ uchi automaton (GBA): F = { F 1 , . . . , F n } F i ⊆ Q is an accepting set. ρ is accepting iff Inf ( ρ ) ∩ F i � = ∅ for 1 ≤ i ≤ n . Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 20 / 83

  12. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL model checking— ω -automata Generalised B¨ uchi automaton (GBA): F = { F 1 , . . . , F n } F i ⊆ Q is an accepting set. ρ is accepting iff Inf ( ρ ) ∩ F i � = ∅ for 1 ≤ i ≤ n . Definition A word w is accepted by an ω -automaton A iff A has an accepting run over w . Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 20 / 83

  13. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL model checking— ω -automata Generalised B¨ uchi automaton (GBA): F = { F 1 , . . . , F n } F i ⊆ Q is an accepting set. ρ is accepting iff Inf ( ρ ) ∩ F i � = ∅ for 1 ≤ i ≤ n . Definition A word w is accepted by an ω -automaton A iff A has an accepting run over w . uchi automaton (BA sometimes NBA): F = F . B¨ F ⊆ Q is a set of accepting states. ρ is accepting iff Inf ( ρ ) ∩ F � = ∅ . Streett automaton: F = { ( E 1 , F 1 ) , . . . , ( E n , F n ) } E i , F i ⊆ Q . ρ is accepting iff Inf ( ρ ) ∩ F i � = ∅ → Inf ( ρ ) ∩ E i � = ∅ for 1 ≤ i ≤ n . Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 20 / 83

  14. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL model checking— ω -automata Recall: An automaton is deterministic iff for all q ∈ Q , and σ ∈ Σ, δ ( q , σ ) is a singleton; that is, if δ is, in fact, a function. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 21 / 83

  15. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL model checking— ω -automata Recall: An automaton is deterministic iff for all q ∈ Q , and σ ∈ Σ, δ ( q , σ ) is a singleton; that is, if δ is, in fact, a function. Theorem NBAs are strictly more expressive than DBAs. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 21 / 83

  16. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL model checking— ω -automata Recall: An automaton is deterministic iff for all q ∈ Q , and σ ∈ Σ, δ ( q , σ ) is a singleton; that is, if δ is, in fact, a function. Theorem NBAs are strictly more expressive than DBAs. Proof. L = L (( a + b ) ∗ a ω ) NBA- but not DBA-definable. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 21 / 83

  17. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL model checking— ω -automata Recall: An automaton is deterministic iff for all q ∈ Q , and σ ∈ Σ, δ ( q , σ ) is a singleton; that is, if δ is, in fact, a function. Theorem NBAs are strictly more expressive than DBAs. Proof. L = L (( a + b ) ∗ a ω ) NBA- but not DBA-definable. Theorem NBAs can encode every LTL property, but not vice versa. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 21 / 83

  18. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL model checking— ω -automata Recall: An automaton is deterministic iff for all q ∈ Q , and σ ∈ Σ, δ ( q , σ ) is a singleton; that is, if δ is, in fact, a function. Theorem NBAs are strictly more expressive than DBAs. Proof. L = L (( a + b ) ∗ a ω ) NBA- but not DBA-definable. Theorem NBAs can encode every LTL property, but not vice versa. Proof. “p occurs at least on even positions” Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 21 / 83

  19. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL-to-automata translation—prerequisites Definition The syntactic closure of ϕ , cl ( ϕ ), consists of all subformulas of ψ of ϕ and their negation ¬ ψ . Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 22 / 83

  20. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL-to-automata translation—prerequisites Definition The syntactic closure of ϕ , cl ( ϕ ), consists of all subformulas of ψ of ϕ and their negation ¬ ψ . Example: ϕ = a U ( ¬ a ∧ b ) Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 22 / 83

  21. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL-to-automata translation—prerequisites Definition The syntactic closure of ϕ , cl ( ϕ ), consists of all subformulas of ψ of ϕ and their negation ¬ ψ . Example: ϕ = a U ( ¬ a ∧ b ) cl ( ϕ ) = { a , b , ¬ a , ¬ b , ¬ a ∧ b , ¬ ( ¬ a ∧ b ) , ϕ, ¬ ϕ } Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 22 / 83

  22. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL-to-automata translation GBA for ϕ ∈ LTL : Q : elements of cl ( ϕ ), promised to be true. Q 0 : states containing ϕ . δ : repr. as graph G = ( V , E ), where V all complete subsets of cl ( ϕ ) (i.e., c ∈ V iff for all ψ ∈ cl ( ϕ ) either ψ ∈ c or ¬ ψ ∈ c , and for all ϕ ′ = ψ ∧ ψ ′ ∈ cl ( ϕ ) we have that ϕ ′ ∈ c iff ψ ∈ c and ψ ′ ∈ c .) ( c , d ) ∈ E iff for any ϕ ′ = ψ U ψ ′ ∈ cl ( ϕ ), ϕ ′ ∈ c iff either ψ ′ ∈ c , or ψ ∈ c and ϕ ′ ∈ d ; for any ϕ ′ = X ψ ∈ cl ( ϕ ), ϕ ′ ∈ c iff ψ ∈ d . F = {{ q ∈ Q | ψ U ψ ′ �∈ q or ψ ′ ∈ q } | ψ U ψ ′ ∈ cl ( ϕ ) } Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 23 / 83

  23. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL-to-automata translation—complexity considerations How big is | Q | (resp. A ϕ ) at most? Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 24 / 83

  24. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL-to-automata translation—complexity considerations How big is | Q | (resp. A ϕ ) at most? | cl ( ϕ ) | = O ( | ϕ | ). Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 24 / 83

  25. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL-to-automata translation—complexity considerations How big is | Q | (resp. A ϕ ) at most? | cl ( ϕ ) | = O ( | ϕ | ). There are at most 2 O ( | ϕ | ) many possible subsets of cl ( ϕ ). Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 24 / 83

  26. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL-to-automata translation—complexity considerations How big is | Q | (resp. A ϕ ) at most? | cl ( ϕ ) | = O ( | ϕ | ). There are at most 2 O ( | ϕ | ) many possible subsets of cl ( ϕ ). That’s why we do LTL model checking as L ( M × A ¬ ϕ ) = ∅ rather than L ( M ) ∩ L ( A ϕ ) = ∅ : Complementation of formula O (1) vs. complementation of automaton ≈ O (2 | Q | ). Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 24 / 83

  27. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL-to-automata translation—optimisations GBA acceptance more difficult to test than NBA acceptance: Turn all states into tuples ( q , i ), where i is counter. Initially, i = 0; counter counts modulo |F| . i = i + 1 if the i th set F i of F is reached (i.e., if q not accepting counter doesn’t do anything). Now, we only need to check one accepting set, F 0 × { 0 } . Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 25 / 83

  28. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL-to-automata translation—optimisations More formally: Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 26 / 83

  29. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL-to-automata translation—optimisations More formally: From GBA A = (Σ , Q , Q 0 , δ, F = F 1 , . . . , F n ), we construct NBA B = (Σ , Q ′ , Q ′ 0 , δ ′ , F ′ ): Q ′ = Q × { 1 , . . . , n } δ ′ ⊆ Q ′ × Q ′ , where (( q , i ) , ( s , j )) ∈ δ ′ iff ( q , s ) ∈ δ AND q �∈ F i and i = j , or q ∈ F i and j = ( i + 1) mod n . Q ′ 0 = { ( q , 0) | q ∈ Q 0 } F ′ = { ( q , 0) | q ∈ F 0 } Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 26 / 83

  30. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL-to-automata translation—optimisations More formally: From GBA A = (Σ , Q , Q 0 , δ, F = F 1 , . . . , F n ), we construct NBA B = (Σ , Q ′ , Q ′ 0 , δ ′ , F ′ ): Q ′ = Q × { 1 , . . . , n } δ ′ ⊆ Q ′ × Q ′ , where (( q , i ) , ( s , j )) ∈ δ ′ iff ( q , s ) ∈ δ AND q �∈ F i and i = j , or q ∈ F i and j = ( i + 1) mod n . Q ′ 0 = { ( q , 0) | q ∈ Q 0 } F ′ = { ( q , 0) | q ∈ F 0 } Edge-labelled vs. state-labelled NBA: Both used; arguably, edge-labelled more common. Easy translation between the two models. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 26 / 83

  31. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking LTL-to-automata translation Some example NBAs: (w/o redundant states) X a : a U b : GF a : start true start start a start b true a start a ∧ b true a true The temporal formulae inside of states are just used for constructing automata. Later we can merely remember the Boolean formulae that are satisfied in order to enter a state as above. (You should convince yourself that this is an equivalent representation wrt. the accepted languages!) Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 27 / 83

  32. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Important properties of NBAs Let A be an NBA over Σ. L ( A ) = / � = ∅ ? Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 28 / 83

  33. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Important properties of NBAs Let A be an NBA over Σ. L ( A ) = / � = ∅ ? in P (i.e., linear-time algorithm) Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 28 / 83

  34. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Important properties of NBAs Let A be an NBA over Σ. L ( A ) = / � = ∅ ? in P (i.e., linear-time algorithm) L ( A ) = / � = Σ ω ? Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 28 / 83

  35. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Important properties of NBAs Let A be an NBA over Σ. L ( A ) = / � = ∅ ? in P (i.e., linear-time algorithm) L ( A ) = / � = Σ ω ? is PSpace-complete Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 28 / 83

  36. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Important properties of NBAs Let A be an NBA over Σ. L ( A ) = / � = ∅ ? in P (i.e., linear-time algorithm) L ( A ) = / � = Σ ω ? is PSpace-complete L ( A ) ∩ L ( B ) NBA representable (closure under intersection) Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 28 / 83

  37. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Important properties of NBAs Let A be an NBA over Σ. L ( A ) = / � = ∅ ? in P (i.e., linear-time algorithm) L ( A ) = / � = Σ ω ? is PSpace-complete L ( A ) ∩ L ( B ) NBA representable (closure under intersection) L ( A ) NBA representable (closure under complement) Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 28 / 83

  38. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Important properties of NBAs Let A be an NBA over Σ. L ( A ) = / � = ∅ ? in P (i.e., linear-time algorithm) L ( A ) = / � = Σ ω ? is PSpace-complete L ( A ) ∩ L ( B ) NBA representable (closure under intersection) L ( A ) NBA representable (closure under complement) NBAs are not closed under determinisation, i.e., there exists an NBA, A , for which there is no DBA, B , s.t. L ( A ) = L ( B ). Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 28 / 83

  39. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Important properties of NBAs Let A be an NBA over Σ. L ( A ) = / � = ∅ ? in P (i.e., linear-time algorithm) L ( A ) = / � = Σ ω ? is PSpace-complete L ( A ) ∩ L ( B ) NBA representable (closure under intersection) L ( A ) NBA representable (closure under complement) NBAs are not closed under determinisation, i.e., there exists an NBA, A , for which there is no DBA, B , s.t. L ( A ) = L ( B ). Closure under complement and intersection are the prerequisites for what is known as automata-theoretic model checking. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 28 / 83

  40. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Automata theoretic model checking Given M = ( S , s 0 , R , L ) and A ϕ = (Σ , Q , Q 0 , δ, F ), we define the “product automaton” M × A ϕ = (Σ , Q ′ , Q ′ 0 , δ ′ , F ′ ) by Q ′ = { ( s , q ) ∈ S × Q | L ( s ) satisfies q } (recall: q contains a Boolean formula!) 0 = { ( s 0 , q ) ∈ Q ′ | q ∈ Q 0 } Q ′ δ ′ = { (( s , q ) , ( s ′ , q ′ )) ∈ Q ′ × Q ′ | ( s , s ′ ) ∈ R and ( q , q ′ ) ∈ δ } F ′ = { ( s , q ) ∈ Q ′ | q ∈ F } Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 29 / 83

  41. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Automata theoretic model checking Given M = ( S , s 0 , R , L ) and A ϕ = (Σ , Q , Q 0 , δ, F ), we define the “product automaton” M × A ϕ = (Σ , Q ′ , Q ′ 0 , δ ′ , F ′ ) by Q ′ = { ( s , q ) ∈ S × Q | L ( s ) satisfies q } (recall: q contains a Boolean formula!) 0 = { ( s 0 , q ) ∈ Q ′ | q ∈ Q 0 } Q ′ δ ′ = { (( s , q ) , ( s ′ , q ′ )) ∈ Q ′ × Q ′ | ( s , s ′ ) ∈ R and ( q , q ′ ) ∈ δ } F ′ = { ( s , q ) ∈ Q ′ | q ∈ F } What is the accepted language of this automaton? Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 29 / 83

  42. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Automata theoretic model checking Given M = ( S , s 0 , R , L ) and A ϕ = (Σ , Q , Q 0 , δ, F ), we define the “product automaton” M × A ϕ = (Σ , Q ′ , Q ′ 0 , δ ′ , F ′ ) by Q ′ = { ( s , q ) ∈ S × Q | L ( s ) satisfies q } (recall: q contains a Boolean formula!) 0 = { ( s 0 , q ) ∈ Q ′ | q ∈ Q 0 } Q ′ δ ′ = { (( s , q ) , ( s ′ , q ′ )) ∈ Q ′ × Q ′ | ( s , s ′ ) ∈ R and ( q , q ′ ) ∈ δ } F ′ = { ( s , q ) ∈ Q ′ | q ∈ F } What is the accepted language of this automaton? Lemma L ( M × A ϕ ) = L ( M ) ∩ L ( A ϕ ) Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 29 / 83

  43. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Automata theoretic model checking Recall: we need to test if L ( M × A ϕ ) = ∅ . (How do we do it?) Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 30 / 83

  44. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Automata theoretic model checking Recall: we need to test if L ( M × A ϕ ) = ∅ . (How do we do it?) Theorem L ( M × A ϕ ) = ∅ ⇔ there is no reachable cycle containing a state from F. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 30 / 83

  45. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Automata theoretic model checking Recall: we need to test if L ( M × A ϕ ) = ∅ . (How do we do it?) Theorem L ( M × A ϕ ) = ∅ ⇔ there is no reachable cycle containing a state from F. Polynomial-time algorithm (e.g., Tarjan’s SCC finding alg.) does the job (cf. Knuth Vol. 3) Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 30 / 83

  46. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Automata theoretic model checking Recall: we need to test if L ( M × A ϕ ) = ∅ . (How do we do it?) Theorem L ( M × A ϕ ) = ∅ ⇔ there is no reachable cycle containing a state from F. Polynomial-time algorithm (e.g., Tarjan’s SCC finding alg.) does the job (cf. Knuth Vol. 3) Corollary LTL model checking is in PTime, if M and A ϕ are given. . . . which is never the case in practice. :-( Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 30 / 83

  47. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Detour (I): Tarjan’s algorithm for SCC identification Idea: Does a forward DFS to visit all nodes once to assign increasing index, and upon returning from the recursive calls, assigns low-indices that point to the node with the smallest index reachable from each respective node. When low-index of a node = index of that node, we have a root of an SCC. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 31 / 83

  48. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Detour (I): Tarjan’s algorithm for SCC identification Some observations: strongconnect(x) is called once for every node. The for-each-loop at most considers each edge twice (to find neighbours of all nodes) (But not all nodes have necessarily an outgoing edge.) That is, runtime of O ( | V | + | E | ). Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 32 / 83

  49. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Detour (II): On-The-Fly Bad-Cycle-Detection Idea: Often M not given, so one needs to construct M from an abstract model (e.g., code, call it M ). Instead of doing it all at once, one can construct M on-the-fly (cf. Vardi et al, CAV’90). Observe, it is easy to obtain initial states (i.e., initial in M and A ϕ ) Algorithm proceeds by expanding more states in an “as needed” manner, and looks if a cycle can be found which hosts an accepting state from A ϕ . In practice, there’s a fair chance it will find an accepting cycle before having expanded all nodes of M . Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 33 / 83

  50. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Detour (II): On-The-Fly Bad-Cycle-Detection (Slide shamelessly stolen from Kousha Etessami.) Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 34 / 83

  51. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Complexity of LTL model checking Recall: Input to the LTL model checking problem is a KS, M , and ϕ . The question to be answered is, does L ( M ) ∩ L ( ¬ ϕ ) � = ∅ hold? Theorem The LTL model checking problem can be answered in time O (2 O ( | ϕ | ) · | M | ) (cf. size of NBA), or in PSpace (but potentially ExpTime; cf. on-the-fly alg.). Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 35 / 83

  52. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Complexity of LTL model checking Recall: Input to the LTL model checking problem is a KS, M , and ϕ . The question to be answered is, does L ( M ) ∩ L ( ¬ ϕ ) � = ∅ hold? Theorem The LTL model checking problem can be answered in time O (2 O ( | ϕ | ) · | M | ) (cf. size of NBA), or in PSpace (but potentially ExpTime; cf. on-the-fly alg.). The latter explains why model checking works in practice: the NBA can be fixed for most formulae, and the subsequent state-space exploration optimised. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 35 / 83

  53. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Complexity of LTL model checking Theorem LTL model checking is PSpace-complete. Proof. Hardness: Reduction from LTL satisfiability, which is also PSpace-complete: L ( ϕ ) = ∅ ⇔ L ( ϕ ) ∩ Σ ω = ∅ ⇔ Σ ω | = ¬ ϕ . Membership: Nondeterministic algorithm: Expand NBA on-the-fly (similar to expansion of M earlier) and guess a path through M , and a state, l , in the NBA which lies on an accepting loop. Each expansion step of the NBA can be done in PTime, and to check whether l is visited again is constant. If guessed path goes through l twice, we know that we have a counterexample. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 36 / 83

  54. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Computation Tree Logic (CTL) CTL syntax ϕ ::= p ∈ AP | ¬ ϕ | ϕ ∧ ϕ | AX ϕ | EX ϕ | A ( ϕ U ϕ ) | E ( ϕ U ϕ ) Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 37 / 83

  55. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Computation Tree Logic (CTL) CTL syntax ϕ ::= p ∈ AP | ¬ ϕ | ϕ ∧ ϕ | AX ϕ | EX ϕ | A ( ϕ U ϕ ) | E ( ϕ U ϕ ) Note, there’s no arbitrary nesting of path quantifiers (cf. CTL ∗ ). For example, you can’t say XAF ϕ in CTL. But EFEG ϕ is OK. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 37 / 83

  56. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL—syntactic sugar and equalities AX ϕ = ¬ EX ( ¬ ϕ ) EF ϕ = E ( true U ϕ ) AG ϕ = ¬ EF ( ¬ ϕ ) AF ϕ = ¬ EG ( ¬ ϕ ) A ( ϕ U ψ ) = ¬ E ( ¬ ψ U ( ¬ ϕ ∧ ¬ ψ )) ∧ ¬ EG ¬ ψ A ( ϕ R ψ ) = ¬ E ( ¬ ϕ U ¬ ψ ) E ( ϕ R ψ ) = ¬ A ( ¬ ϕ U ¬ ψ ) Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 38 / 83

  57. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL—syntactic sugar and equalities AX ϕ = ¬ EX ( ¬ ϕ ) EF ϕ = E ( true U ϕ ) AG ϕ = ¬ EF ( ¬ ϕ ) AF ϕ = ¬ EG ( ¬ ϕ ) A ( ϕ U ψ ) = ¬ E ( ¬ ψ U ( ¬ ϕ ∧ ¬ ψ )) ∧ ¬ EG ¬ ψ A ( ϕ R ψ ) = ¬ E ( ¬ ϕ U ¬ ψ ) E ( ϕ R ψ ) = ¬ A ( ¬ ϕ U ¬ ψ ) Corollary Any CTL formula can be expressed in terms of ¬ , ∨ , EX , EU and EG alone. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 38 / 83

  58. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL—semantics CTL semantics: Let M = ( S , R , L ) be defined as usual; s ∈ S . M , s | = p iff p ∈ L ( s ) M , s | = ¬ ϕ iff M , s | = ϕ is not true M , s | = ϕ ∧ ψ iff M , s | = ϕ and M , s | = ψ M , s | for all s → s 1 , M , s 1 | = AX ϕ iff = ϕ M , s | = EX ϕ iff there is a s → s 1 , s.t. M , s 1 | = ϕ M , s | for all s 1 → s 2 → . . . , where s 1 = s , = A ( ϕ U ψ ) iff there is a s k , s.t. M , s k | = ψ, and M , s j | = ϕ for all s j , where 0 ≤ j < k M , s | = E ( ϕ U ψ ) iff there is a . . . Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 39 / 83

  59. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL—examples Some CTL specifications: EF ( Start ∧ ¬ Ready ): It is possible to reach a state in which Start but not Ready holds. AG ( Req → AF Ack ): Every req. is eventually answered. AG ( AF DeviceEnabled ): The device is enabled infinitely often on all paths. AG ( EF Restart ): From any state it is possible to reach a state in which Restart holds. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 40 / 83

  60. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—labelling algorithm “Labelling algorithm”—what it does: Input: A CTL formula, ϕ , and a Kripke structure, M = ( S , s 0 , R , L ) over a set AP . Output: A set of formulae, label ( s 0 ), that are true in s 0 (i.e., M , s 0 | = ϕ iff ϕ ∈ label ( s )). Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 41 / 83

  61. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—labelling algorithm “Labelling algorithm”—what it does: Input: A CTL formula, ϕ , and a Kripke structure, M = ( S , s 0 , R , L ) over a set AP . Output: A set of formulae, label ( s 0 ), that are true in s 0 (i.e., M , s 0 | = ϕ iff ϕ ∈ label ( s )). Initially, label ( s 0 ) = L ( s 0 ); algorithm goes through states, at stage i , CTL subformulae with i − 1 nested temporal operators are processed. When a formula is processed it is added to the labelling of those states where it is true. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 41 / 83

  62. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—labelling algorithm By strucutral induction 1 (that is, algorithm starts with innermost formulae and works its way “outwards”): Φ = ¬ ϕ : label all states with Φ that are not labelled by ϕ . Φ = ϕ ∨ ψ : label all states with Φ that are labelled by either ϕ or ψ . Φ = EX ϕ : label all states with Φ that have a successor labelled by ϕ . Φ = E ( ϕ U ψ ): find all states labelled by ψ ; then work backwards until you hit a state labelled by ϕ ; all intermediate states on these paths should be labelled by Φ. 1 Only few cases due to earlier corollary! Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 42 / 83

  63. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—labelling algorithm Runs in O ( | S | + | R | ). Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 43 / 83

  64. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—labelling algorithm Φ = EG ϕ slightly more complicated; needs notion of SCC: First create M ′ = ( S ′ , s ′ 0 , R ′ , L ′ ), where S ′ = { s ∈ S ′ | M , s | = ϕ } (i.e., remove all nodes from M , where ϕ does not hold) R ′ = R | S ′ × S ′ L ′ = L | S ′ Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 44 / 83

  65. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—labelling algorithm Φ = EG ϕ slightly more complicated; needs notion of SCC: First create M ′ = ( S ′ , s ′ 0 , R ′ , L ′ ), where S ′ = { s ∈ S ′ | M , s | = ϕ } (i.e., remove all nodes from M , where ϕ does not hold) R ′ = R | S ′ × S ′ L ′ = L | S ′ Lemma M , s | = EG ϕ iff the following two conditions are satisfied: 1 s ∈ S ′ 2 There is a path in M ′ , starting in s, to some node t in some SCC of graph ( S ′ , R ′ ) . Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 44 / 83

  66. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—labelling algorithm Proof. ( ⇒ ) As for 1.: Clearly, s ∈ S ′ . Now we need to show 2. Let w ′ = uw be a path in M such that ϕ is true in each state. u is the prefix and w the infinite suffix. For w to repeat, it must lie inside a SCC. And since ϕ is true along the path, we have for u and w that they’re both contained in S ′ by the construction of M ′ . ( ⇐ ) Every path that in M ′ is also a path in M . And if there is a path that loops infinitely through some SCC, and on which ϕ holds, then it is a model for EG ϕ . Since the initial state of that path, s ∈ S ′ is clearly also in S , the lemma follows. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 45 / 83

  67. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—labelling algorithm Runs in O ( | S ′ | + | R ′ | ). Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 46 / 83

  68. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—labelling algorithm Since we have at most | ϕ | subformulae, CTL model checking against a Kripke structure takes time O ( | ϕ | · ( | S | + | R | )). Theorem To decide the CTL model checking problem one only needs an algorithm that runs in PTime. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 47 / 83

  69. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—example Same Kripke structure we used earlier: 1 “start oven” “open door” “cook” 2 Start , Error 3 Close Close , Heat 4 “reset” “start oven” “start cooking” 5 Start , Close , Error 6 Start , Close Start , Close , Heat 7 “warm up” , 1 | = AG ( Start → AF Heat )? Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 48 / 83

  70. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—example Same Kripke structure we used earlier: 1 “start oven” “open door” “cook” 2 Start , Error 3 Close Close , Heat 4 “reset” “start oven” “start cooking” 5 Start , Close , Error 6 Start , Close Start , Close , Heat 7 “warm up” , 1 | = AG ( Start → AF Heat )? Observe: AG ( Start → AF Heat ) equiv. to ¬ EF ( Start ∧ EG ¬ Heat ) We use EF ϕ as shorthand for E ( true U ϕ ). Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 48 / 83

  71. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—example How the algorithm proceeds: Let S ( ψ ) be the set of states in which ψ holds. Initially, S ( Start ) = { 2 , 5 , 6 , 7 } , S ( ¬ Heat ) = { 1 , 2 , 3 , 5 , 6 } . For S ( EG ¬ Heat ) we first find SCCs wrt. ¬ Heat . 2 not 6, because you can reach 7 from 6, where Heat is true Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 49 / 83

  72. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—example How the algorithm proceeds: Let S ( ψ ) be the set of states in which ψ holds. Initially, S ( Start ) = { 2 , 5 , 6 , 7 } , S ( ¬ Heat ) = { 1 , 2 , 3 , 5 , 6 } . For S ( EG ¬ Heat ) we first find SCCs wrt. ¬ Heat . I.e., S ′ = { 1 , 2 , 3 , 5 , 6 } , and SCC in S ′ is { 1 , 2 , 3 , 5 } = S ( EG ¬ Heat ) 2 2 not 6, because you can reach 7 from 6, where Heat is true Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 49 / 83

  73. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—example How the algorithm proceeds: Let S ( ψ ) be the set of states in which ψ holds. Initially, S ( Start ) = { 2 , 5 , 6 , 7 } , S ( ¬ Heat ) = { 1 , 2 , 3 , 5 , 6 } . For S ( EG ¬ Heat ) we first find SCCs wrt. ¬ Heat . I.e., S ′ = { 1 , 2 , 3 , 5 , 6 } , and SCC in S ′ is { 1 , 2 , 3 , 5 } = S ( EG ¬ Heat ) 2 S ( Start ∧ EG ¬ Heat ) 2 not 6, because you can reach 7 from 6, where Heat is true Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 49 / 83

  74. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—example How the algorithm proceeds: Let S ( ψ ) be the set of states in which ψ holds. Initially, S ( Start ) = { 2 , 5 , 6 , 7 } , S ( ¬ Heat ) = { 1 , 2 , 3 , 5 , 6 } . For S ( EG ¬ Heat ) we first find SCCs wrt. ¬ Heat . I.e., S ′ = { 1 , 2 , 3 , 5 , 6 } , and SCC in S ′ is { 1 , 2 , 3 , 5 } = S ( EG ¬ Heat ) 2 S ( Start ∧ EG ¬ Heat ) = { 2 , 5 } . To compute S ( EF ( Start ∧ EG ¬ Heat ), set T = S ( EG ¬ Heat ) and find all states from which states from T can be reached, 2 not 6, because you can reach 7 from 6, where Heat is true Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 49 / 83

  75. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—example How the algorithm proceeds: Let S ( ψ ) be the set of states in which ψ holds. Initially, S ( Start ) = { 2 , 5 , 6 , 7 } , S ( ¬ Heat ) = { 1 , 2 , 3 , 5 , 6 } . For S ( EG ¬ Heat ) we first find SCCs wrt. ¬ Heat . I.e., S ′ = { 1 , 2 , 3 , 5 , 6 } , and SCC in S ′ is { 1 , 2 , 3 , 5 } = S ( EG ¬ Heat ) 2 S ( Start ∧ EG ¬ Heat ) = { 2 , 5 } . To compute S ( EF ( Start ∧ EG ¬ Heat ), set T = S ( EG ¬ Heat ) and find all states from which states from T can be reached, i.e., S ( EF ( Start ∧ EG ¬ Heat ) = S . 2 not 6, because you can reach 7 from 6, where Heat is true Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 49 / 83

  76. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—example How the algorithm proceeds: Let S ( ψ ) be the set of states in which ψ holds. Initially, S ( Start ) = { 2 , 5 , 6 , 7 } , S ( ¬ Heat ) = { 1 , 2 , 3 , 5 , 6 } . For S ( EG ¬ Heat ) we first find SCCs wrt. ¬ Heat . I.e., S ′ = { 1 , 2 , 3 , 5 , 6 } , and SCC in S ′ is { 1 , 2 , 3 , 5 } = S ( EG ¬ Heat ) 2 S ( Start ∧ EG ¬ Heat ) = { 2 , 5 } . To compute S ( EF ( Start ∧ EG ¬ Heat ), set T = S ( EG ¬ Heat ) and find all states from which states from T can be reached, i.e., S ( EF ( Start ∧ EG ¬ Heat ) = S . Finally, S ( ¬ EF ( Start ∧ EG ¬ Heat ) = S ( EF ( Start ∧ EG ¬ Heat ) = ∅ . 2 not 6, because you can reach 7 from 6, where Heat is true Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 49 / 83

  77. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking CTL model checking—example How the algorithm proceeds: Let S ( ψ ) be the set of states in which ψ holds. Initially, S ( Start ) = { 2 , 5 , 6 , 7 } , S ( ¬ Heat ) = { 1 , 2 , 3 , 5 , 6 } . For S ( EG ¬ Heat ) we first find SCCs wrt. ¬ Heat . I.e., S ′ = { 1 , 2 , 3 , 5 , 6 } , and SCC in S ′ is { 1 , 2 , 3 , 5 } = S ( EG ¬ Heat ) 2 S ( Start ∧ EG ¬ Heat ) = { 2 , 5 } . To compute S ( EF ( Start ∧ EG ¬ Heat ), set T = S ( EG ¬ Heat ) and find all states from which states from T can be reached, i.e., S ( EF ( Start ∧ EG ¬ Heat ) = S . Finally, S ( ¬ EF ( Start ∧ EG ¬ Heat ) = S ( EF ( Start ∧ EG ¬ Heat ) = ∅ . Property does not hold. :-( 2 not 6, because you can reach 7 from 6, where Heat is true Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 49 / 83

  78. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Binary decision diagrams Popular data structure for compactly and uniquely representing Boolean functions. Efficient algorithms known to manipulate BDDs according to the operations in Boolean logic. Applications: there are many! In our context: to compactly represent Kripke structures. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 50 / 83

  79. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Binary decision diagrams Let x → y 0 , y 1 be the if-then-else operator defined by x → y 0 , y 1 = ( x ∧ y 0 ) ∨ ( ¬ x ∧ y 1 ) All other Boolean operations can be expressed in terms of this operator: ¬ x = Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 51 / 83

  80. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Binary decision diagrams Let x → y 0 , y 1 be the if-then-else operator defined by x → y 0 , y 1 = ( x ∧ y 0 ) ∨ ( ¬ x ∧ y 1 ) All other Boolean operations can be expressed in terms of this operator: ¬ x = ( x → 0 , 1) x ⇔ y = Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 51 / 83

  81. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Binary decision diagrams Let x → y 0 , y 1 be the if-then-else operator defined by x → y 0 , y 1 = ( x ∧ y 0 ) ∨ ( ¬ x ∧ y 1 ) All other Boolean operations can be expressed in terms of this operator: ¬ x = ( x → 0 , 1) x ⇔ y = x → ( y → 1 , 0) , ( y → 0 , 1) etc. Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 51 / 83

  82. Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking Binary decision diagrams Let x → y 0 , y 1 be the if-then-else operator defined by x → y 0 , y 1 = ( x ∧ y 0 ) ∨ ( ¬ x ∧ y 1 ) All other Boolean operations can be expressed in terms of this operator: ¬ x = ( x → 0 , 1) x ⇔ y = x → ( y → 1 , 0) , ( y → 0 , 1) etc. Definition The ITE-normal form (INF) is a Boolean expression built entirely from the ITE-operator. (You may have heard of other normal forms.) Andreas Bauer NICTA & ANU COMP4600 Advanced algorithms: Algorithms for verification 51 / 83

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advanced Algorithms (I) Chihao Zhang Shanghai Jiao Tong University Feb. 25, 2019 Advanced

Advanced Algorithms (I) Chihao Zhang Shanghai Jiao Tong University Feb. 25, 2019 Advanced

Advanced Algorithms (I) Chihao Zhang Shanghai Jiao Tong University Feb. 25, 2019 Advanced Algorithms (I) 1/14 Advanced Algorithms In the course, we will learn Approximation Algorithms linear programming, semi-definite programming spectral

646 views • 64 slides
Week 7 Video 3 Advanced Clustering Algorithms Today Multiple advanced algorithms for

Week 7 Video 3 Advanced Clustering Algorithms Today Multiple advanced algorithms for

Week 7 Video 3 Advanced Clustering Algorithms Today Multiple advanced algorithms for clustering Gaussian Mixture Models Often called EM-based clustering Kind of a misnomer in my opinion What distinguishes this algorithm

681 views • 21 slides
Advanced Algorithms LP-based Algorithms LP rounding: Relax the

Advanced Algorithms LP-based Algorithms LP rounding: Relax the

Advanced Algorithms LP-based Algorithms LP rounding: Relax the integer program to LP; round the optimal LP solution to a nearby feasible integral solution. The primal-dual schema: Find a pair of

653 views • 38 slides
ADVANCED ALGORITHMS Lecture 14: randomized algorithms 1 ANNOUNCEMENTS HW 3 out; due

ADVANCED ALGORITHMS Lecture 14: randomized algorithms 1 ANNOUNCEMENTS HW 3 out; due

ADVANCED ALGORITHMS Lecture 14: randomized algorithms 1 ANNOUNCEMENTS HW 3 out; due Friday after fall break Look out for project topics! announcement in a little while Groups of 2-3 Give a list of &gt;= 5 topics, top choice

900 views • 23 slides
Advanced Algorithms (IV) Chihao Zhang Shanghai Jiao Tong University Mar. 18, 2019 Advanced

Advanced Algorithms (IV) Chihao Zhang Shanghai Jiao Tong University Mar. 18, 2019 Advanced

Advanced Algorithms (IV) Chihao Zhang Shanghai Jiao Tong University Mar. 18, 2019 Advanced Algorithms (IV) 1/11 Review n u v E w T u w v s.t. w u u max V w T u w u u V Advanced Algorithms (IV) e Vector Program MaxCut Integer

606 views • 39 slides
Divide and Conquer Algorithms: Advanced Sorting Prichard Ch. 10.2: Advanced Sorting Algorithms

Divide and Conquer Algorithms: Advanced Sorting Prichard Ch. 10.2: Advanced Sorting Algorithms

Divide and Conquer Algorithms: Advanced Sorting Prichard Ch. 10.2: Advanced Sorting Algorithms 1 Sorting Algorithm n Organize a collection of data into either ascending or descending order. n Internal sort q Collection of data fits entirely in

573 views • 42 slides
Advanced Algorithms COMS31900 Approximation algorithms part two more constant factor

Advanced Algorithms COMS31900 Approximation algorithms part two more constant factor

Advanced Algorithms COMS31900 Approximation algorithms part two more constant factor approximations Rapha el Clifford Slides by Benjamin Sach Approximation Algorithms Recap An algorithm A is an -approximation algorithm for problem P

2.14k views • 175 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (10/21/04) I E S R C E O V

UMBC A B M A L T F O U M B C I M Y O R T 1 (10/21/04) I E S R C E O V

VLSI Design Verification and Test Combo ATPG II CMPE 646 ATPG Algorithms Characteristics of the three main algorithms: Roths D-Algorithm (D-ALG) defined the calculus and algorithms for ATPG using D-cubes. Goels PODEM used path

359 views • 21 slides
Formal verification of IA-64 division algorithms John Harrison Intel Corporation IA-64

Formal verification of IA-64 division algorithms John Harrison Intel Corporation IA-64

Formal verification of IA-64 division algorithms 1 Formal verification of IA-64 division algorithms John Harrison Intel Corporation IA-64 overview Quick introduction to HOL Light Floating point numbers and IA-64 formats HOL

451 views • 19 slides
Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing mathematics

353 views • 19 slides
Greedy Algorithms Chapter 16 1 CPTR 430 Algorithms Greedy Algorithms Greedy Algorithms For

Greedy Algorithms Chapter 16 1 CPTR 430 Algorithms Greedy Algorithms Greedy Algorithms For

Greedy Algorithms Chapter 16 1 CPTR 430 Algorithms Greedy Algorithms Greedy Algorithms For some optimization problems, dynamic programming algorithms are overkill A greedy algorithm always makes a choice that looks best at the moment

1.09k views • 65 slides
Greedy Algorithms Course: CS 5130 - Advanced Data Structures and Algorithms Instructor: Dr. Badri

Greedy Algorithms Course: CS 5130 - Advanced Data Structures and Algorithms Instructor: Dr. Badri

Greedy Algorithms Course: CS 5130 - Advanced Data Structures and Algorithms Instructor: Dr. Badri Adhikari Motivation For many optimization problems, dynamic programming is overkill . A greedy algorithm always makes the choice that looks best at

526 views • 28 slides
Advanced Algorithms COMS31900 Approximation algorithms part four Asymptotic Polynomial Time

Advanced Algorithms COMS31900 Approximation algorithms part four Asymptotic Polynomial Time

Advanced Algorithms COMS31900 Approximation algorithms part four Asymptotic Polynomial Time Approximation Schemes Rapha el Clifford Slides by Benjamin Sach Approximation Algorithms Recap A polynomial time algorithm A is an

1.52k views • 134 slides
Advanced Algorithms COMS31900 Approximation algorithms part three (Fully) Polynomial Time

Advanced Algorithms COMS31900 Approximation algorithms part three (Fully) Polynomial Time

Advanced Algorithms COMS31900 Approximation algorithms part three (Fully) Polynomial Time Approximation Schemes Rapha el Clifford Slides by Benjamin Sach Approximation Algorithms Recap An algorithm A is an -approximation algorithm for

1.72k views • 161 slides
Evolutionary Algorithms CS 478 - Evolutionary Algorithms 1 Evolutionary Computation/Algorithms

Evolutionary Algorithms CS 478 - Evolutionary Algorithms 1 Evolutionary Computation/Algorithms

Evolutionary Algorithms CS 478 - Evolutionary Algorithms 1 Evolutionary Computation/Algorithms Genetic Algorithms l Simulate natural evolution of structures via selection and reproduction, based on performance (fitness) l Type of

524 views • 30 slides
Automating the Verification of Floating-point Algorithms Guillaume Melquiond Inria Saclay

Automating the Verification of Floating-point Algorithms Guillaume Melquiond Inria Saclay

Introduction Interval+Error Advanced Gappa Conclusion Automating the Verification of Floating-point Algorithms Guillaume Melquiond Inria Saclay Ile-de-France LRI, Universit e Paris Sud, CNRS 2014-07-18 Guillaume Melquiond

1.55k views • 126 slides
Two Synthesis Approaches for CTL* Roderick Bloem 1 , Ayrat Khalimov 1 , Sven Schewe 2 2 1 1

Two Synthesis Approaches for CTL* Roderick Bloem 1 , Ayrat Khalimov 1 , Sven Schewe 2 2 1 1

Two Synthesis Approaches for CTL* Roderick Bloem 1 , Ayrat Khalimov 1 , Sven Schewe 2 2 1 1 Rigorous Systems Engineering LTL/CTL* synthesis problem Specification: LTL formula: ( ) Inputs: , outputs: Find

207 views • 17 slides
Complexity and Expressivity of Branching- and Alternating-Time Temporal Logics with Finitely Many

Complexity and Expressivity of Branching- and Alternating-Time Temporal Logics with Finitely Many

Complexity and Expressivity of Branching- and Alternating-Time Temporal Logics with Finitely Many Variables Mikhail Rybakov and Dmitry Shkatov ICTAC 2018 Mikhail Rybakov and Dmitry Shkatov Complexity of Logics with Finitely Many Variables

490 views • 31 slides
Definition 3.12 We define CTL formulas inductively via a Backus Naur form as done for LTL: ::=

Definition 3.12 We define CTL formulas inductively via a Backus Naur form as done for LTL: ::=

Definition 3.12 We define CTL formulas inductively via a Backus Naur form as done for LTL: ::= | | p | ( ) | ( ) | ( ) | ( ) | AX | EX | AF | EF | AG | EG | A[ U ] | E[ U

277 views • 10 slides
Distributed synthesis for synchronous systems 1 Paul Gastin LSV ENS de Cachan &amp; CNRS

Distributed synthesis for synchronous systems 1 Paul Gastin LSV ENS de Cachan &amp; CNRS

Distributed synthesis for synchronous systems 1 Paul Gastin LSV ENS de Cachan &amp; CNRS Paul.Gastin@lsv.ens-cachan.fr Dec 6th, 2006 1 Joint work with Nathalie Sznajder and Marc Zeitoun 1 / 41 Outline Synthesis and control for sequential

1.04k views • 100 slides
Introduction to Model Checking Radu Mateescu Inria Univ. Grenoble Alpes LIG What is model

Introduction to Model Checking Radu Mateescu Inria Univ. Grenoble Alpes LIG What is model

Introduction to Model Checking Radu Mateescu Inria Univ. Grenoble Alpes LIG What is model checking? Model checking is the method by which a desired behavioral property of a reactive system is verified over a given system (the model )

606 views • 32 slides
On the semantics of Strategy Logic Nicolas Markey IRISA CNRS &amp; Univ. Rennes 1 (based on

On the semantics of Strategy Logic Nicolas Markey IRISA CNRS &amp; Univ. Rennes 1 (based on

On the semantics of Strategy Logic Nicolas Markey IRISA CNRS &amp; Univ. Rennes 1 (based on joint works with Patricia Bouyer, Patrick Gardy, and Franois Laroussinie) Dagstuhl, March 17, 2017 Computation-Tree Logic (CTL) atomic

840 views • 61 slides
Open Source - Killing standards organizations or saving them Open source and standards join

Open Source - Killing standards organizations or saving them Open source and standards join

Open Source - Killing standards organizations or saving them Open source and standards join forces for mutual benefit Charles Eckel, Developer Advocate, Cisco eckelcu@cisco.com, @eckelcu FOSDEM 2020 Image of enemies working together 2 Why

228 views • 20 slides
Fachgebiet Rechnersysteme Technische Universitt Verification Technology Darmstadt 6.

Fachgebiet Rechnersysteme Technische Universitt Verification Technology Darmstadt 6.

Fachgebiet Rechnersysteme Technische Universitt Verification Technology Darmstadt 6. Model-Checking 1 6. Model-Checking 3 Fachgebiet RechnerSysteme 6. Model Checking &quot;It is possible that a=1, b=1, c=1 and d=1 at the same

516 views • 24 slides

More recommend