Efficient Model Checking of Safety Properties Timo Latvala - - PowerPoint PPT Presentation

Efficient Model Checking of Safety Properties

Timo Latvala

timo.latvala@hut.fi

Laboratory for Theoretical Computer Science Helsinki University of Technology Finland

Spin 2003 – p.1/16

Introduction

• Safety properties ≈ “properties with finite

counterexamples”.

• Uses:
• Testing
• Program monitoring
• Model Checking
• Focus: LTL using the automata theoretic

approach.

• Main problem: translating LTL formulas to finite

automata.

Spin 2003 – p.2/16

Why safety properties?

Treating safety properties as a special case has certain benefits.

• Safety properties an “important” subset.

Spin 2003 – p.3/16

Why safety properties?

Treating safety properties as a special case has certain benefits.

• Safety properties an “important” subset.
• Explicit state model checking algorithms are

somewhat simpler.

Spin 2003 – p.3/16

Why safety properties?

Treating safety properties as a special case has certain benefits.

• Safety properties an “important” subset.
• Explicit state model checking algorithms are

somewhat simpler.

• BDD-based algorithms are faster (linear vs

quadratic).

Spin 2003 – p.3/16

Why safety properties?

Treating safety properties as a special case has certain benefits.

• Safety properties an “important” subset.
• Explicit state model checking algorithms are

somewhat simpler.

• BDD-based algorithms are faster (linear vs

quadratic).

• For methods such as Petri net unfoldings, safety

is much simpler.

Spin 2003 – p.3/16

Challenges

Treating safety as a special case poses some challenges:

• Deciding if an LTL formula is a safety formula is

PSPACE-complete.

Spin 2003 – p.4/16

Challenges

Treating safety as a special case poses some challenges:

• Deciding if an LTL formula is a safety formula is

PSPACE-complete.

• Translating a safety LTL formula to finite

automaton doubly exponential.

Spin 2003 – p.4/16

Challenges

Treating safety as a special case poses some challenges:

• Deciding if an LTL formula is a safety formula is

PSPACE-complete.

• Translating a safety LTL formula to finite

automaton doubly exponential.

• Non-pathological formulas have a singly

exponential translation to finite automata.

Spin 2003 – p.4/16

Challenges

Treating safety as a special case poses some challenges:

• Deciding if an LTL formula is a safety formula is

PSPACE-complete.

• Translating a safety LTL formula to finite

automaton doubly exponential.

• Non-pathological formulas have a singly

exponential translation to finite automata.

• Deciding if a formula is pathological is

PSPACE-complete.

Spin 2003 – p.4/16

Contributions

• A new translation algorithm based on an

algorithm by Kupferman and Vardi.

Spin 2003 – p.5/16

Contributions

• A new translation algorithm based on an

algorithm by Kupferman and Vardi.

• Extensive experimental testing of the

implementation.

Spin 2003 – p.5/16

Contributions

• A new translation algorithm based on an

algorithm by Kupferman and Vardi.

• Extensive experimental testing of the

implementation.

• First(?) implementation of a algorithm checking

if a formula is pathologic.

Spin 2003 – p.5/16

Contributions

• A new translation algorithm based on an

algorithm by Kupferman and Vardi.

• Extensive experimental testing of the

implementation.

• First(?) implementation of a algorithm checking

if a formula is pathologic.

• The tool, scheck, can be used with Spin.

Spin 2003 – p.5/16

Related Work

• Kupferman and Vardi: Algorithms and

complexity results.

Spin 2003 – p.6/16

Related Work

• Kupferman and Vardi: Algorithms and

complexity results.

• Geilen: Forward version of KV-algorithm.

Spin 2003 – p.6/16

Related Work

• Kupferman and Vardi: Algorithms and

complexity results.

• Geilen: Forward version of KV-algorithm.
• Berard et al: history variables methods for past

TL

Spin 2003 – p.6/16

Related Work

• Kupferman and Vardi: Algorithms and

complexity results.

• Geilen: Forward version of KV-algorithm.
• Berard et al: history variables methods for past

TL

• Havelund and Rosu: model checking past TL for

finite executions.

Spin 2003 – p.6/16

Translation Algorithm

• The algorithm creates the finite automaton

backwards.

Spin 2003 – p.7/16

Translation Algorithm

• The algorithm creates the finite automaton

backwards.

• We start from an empty set of requirements and

analyse the satisfaction of subformulas.

Spin 2003 – p.7/16

Translation Algorithm

• The algorithm creates the finite automaton

backwards.

• We start from an empty set of requirements and

analyse the satisfaction of subformulas.

• We only add states for temporal operators

(exception: X).

Spin 2003 – p.7/16

Translation Algorithm

• The algorithm creates the finite automaton

backwards.

• We start from an empty set of requirements and

analyse the satisfaction of subformulas.

• We only add states for temporal operators

(exception: X).

• Resulting automaton accepts all informative

prefixes.

Spin 2003 – p.7/16

Checking Pathologic Safety

• Construct A¬ψ.

Spin 2003 – p.8/16

Checking Pathologic Safety

• Construct A¬ψ.
• Construct deterministic finite automaton B¬ψ.

Spin 2003 – p.8/16

Checking Pathologic Safety

• Construct A¬ψ.
• Construct deterministic finite automaton B¬ψ.
• Interpret B¬ψ as a Büchi automaton and

complement it.

Spin 2003 – p.8/16

Checking Pathologic Safety

• Construct A¬ψ.
• Construct deterministic finite automaton B¬ψ.
• Interpret B¬ψ as a Büchi automaton and

complement it.

• If L(A¬ψ × ¯

B¬ψ) = ∅ then ψ is pathologic.

Spin 2003 – p.8/16

Implementation

• The implementation uses BDDs to manage sets.

Spin 2003 – p.9/16

Implementation

• The implementation uses BDDs to manage sets.
• Produces deterministic or non-deterministic

automata.

Spin 2003 – p.9/16

Implementation

• The implementation uses BDDs to manage sets.
• Produces deterministic or non-deterministic

automata.

• Can be connected to Spin.

Spin 2003 – p.9/16

Implementation

• The implementation uses BDDs to manage sets.
• Produces deterministic or non-deterministic

automata.

• Can be connected to Spin.
• Freely available licensed under the GNU GPL.

Spin 2003 – p.9/16

Experiments

• Randomly generated syntactically safe formulas

Spin 2003 – p.10/16

Experiments

• Randomly generated syntactically safe formulas
• Randomly generated formulas.

Spin 2003 – p.10/16

Experiments

• Randomly generated syntactically safe formulas
• Randomly generated formulas.
• Safety formulas from the specification pattern

system.

Spin 2003 – p.10/16

Experiments

• Randomly generated syntactically safe formulas
• Randomly generated formulas.
• Safety formulas from the specification pattern

system.

• Model checking tests with Spin.

Spin 2003 – p.10/16

Syntactically Safe Formulas

10 20 30 0.2 0.4 0.6 0.8 1 1.2 1.4 Formula length State ratio lbt spin ltl2ba 10 20 30 0.2 0.4 0.6 0.8 1 1.2 1.4 Formula length Transition ratio lbt spin ltl2ba 5 10 15 1 2 3 4 5 6 7 Formula length Time ratio lbt spin 10 20 30 0.2 0.4 0.6 0.8 1 1.2 1.4 Formula length Productstate ratio lbt spin ltl2ba 10 20 30 0.2 0.4 0.6 0.8 1 Formula length Producttransition ratio lbt spin ltl2ba 10 20 30 50 100 150 200 250 Formula length Time ratio ltl2ba

Spin 2003 – p.11/16

General Formulas

4 6 8 10 12 14 16 18 20 22 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 Formula length Average generation time [s] Spin 2003 – p.12/16

Specification Pattern Formulas

10 20 30 40 2 4 6 8 10 12 14 States or arcs scheck states ltl2ba states 10 20 30 40 5 10 15 20 25 30 35 40 45 States or arcs scheck arcs ltl2ba arcs

states arcs time [s] product states product arcs ltl2ba 160 348 0.5 3037 15406 lbt 1915 31821 1.2 25134 763203 scheck 144 316 2.1 2481 9806

Spin 2003 – p.13/16

Practical Models

model scheck spin states arcs t [s] states arcs t [s] peterson(3) 17476 32343 0.06 21792 45870 0.09 peterson(4) 3254110 709846 20.8 4216030 10315000 37.3 sliding(1,1) 130799 407238 0.9 258456 890026 2.2 sliding(1,2) 518050 1670120 3.9 1027130 3604660 9.8 sliding(2,1) 5447700 18271400 534.7 10794100 39649800 1097.4 erathostenes(50,1) 522 522 0.03 522 522 0.03 erathostenes(60,2) 324 324 0.02 357958 647081 4.0 erathostenes(70,3) 522 522 0.04 2047030 4407400 48.5 erathostenes(80,4) 789 789 0.04

• erathostenes(80,5)

847 847 0.04

• iprot

7095180 20595400 377.0 16011900 46288600 1006.2 giop 146646 215640 1.8 255105 524493 4.8

Spin 2003 – p.14/16

Practical Models

model scheck ltl2ba states arcs t [s] states arcs t [s] peterson(3) 17476 32343 0.06 21792 45870 0.09 peterson(4) 3254110 709846 20.8 4216030 10315000 37.5 sliding(1,1) 130799 407238 0.09 258432 890386 2.2 sliding(1,2) 518050 1670120 3.9 1027120 3604410 9.8 sliding(2,1) 5447700 18271400 534.7 10794000 39645700 1097.6 erathostenes(50,1) 522 522 0.03 678 678 0.03 erathostenes(60,2) 324 324 0.02 794322 1319710 8.4 erathostenes(70,3) 522 522 0.04 3110700 6474410 76.6 erathostenes(80,4) 789 789 0.04

• erathostenes(80,5)

847 847 0.04

• iprot

7095180 20595400 377.0 16011900 46288600 1003.7 giop 146646 215640 1.8 255105 524493 4.6

Spin 2003 – p.15/16

Conclusions

• scheck produces smaller automata is most cases.

Spin 2003 – p.16/16

Conclusions

• scheck produces smaller automata is most cases.
• Especially when debugging safety properties, the

gain can be significant

Spin 2003 – p.16/16

Conclusions

• scheck produces smaller automata is most cases.
• Especially when debugging safety properties, the

gain can be significant

• A model checker can gain by analysing the

formula.

Spin 2003 – p.16/16

Conclusions

• scheck produces smaller automata is most cases.
• Especially when debugging safety properties, the

gain can be significant

• A model checker can gain by analysing the

formula.

• Using BDDs probably a bad design choice.

Spin 2003 – p.16/16

Conclusions

• scheck produces smaller automata is most cases.
• Especially when debugging safety properties, the

gain can be significant

• A model checker can gain by analysing the

formula.

• Using BDDs probably a bad design choice.
• scheck is available from

www.tcs.hut.fi/~timo/scheck.

Spin 2003 – p.16/16