Liveness Checking as Safety Checking to Find Shortest - - PowerPoint PPT Presentation

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties

Viktor Schuppan

Computer Systems Institute, ETH Z¨ urich http://www.inf.ethz.ch/˜schuppan/

Defense Thesis ETH 16268 September 28, 2005, Z¨ urich, Switzerland

Safety vs. Liveness

2

[Lamport ’77], [Alpern, Schneider ’85]

Safety Liveness “Something bad will not happen.” “Something good will eventually happen.” The “bad thing” is irremediable. It remains possible for the “good thing” to occur.

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.

Model Checking of Safety Properties

3

[Kupferman, Vardi ’01]

G (c = 2)

system model c=2 c=2 LTL formula finite state automaton

c=2 c=2 c=2

(finite state) product automaton 1 2

1 2

Property is false iff a bad state is reachable. ⇒ Find shortest finite path to bad state.

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.

Model Checking of Liveness Properties

4

[Vardi, Wolper ’86] c=2 system model LTL formula Büchi automaton 1 2

1 2

c=2

F G (c = 2)

c=2 c=2 c=2

(Büchi) product automaton

Property is false iff there is an (infinite) fair path. ⇒ Find fair lasso.

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.

Contents

5

• 1. Model Checking 101
• 2. Liveness Checking as Safety Checking
• 3. Tight B¨

uchi Automata

• 4. Conclusions

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.

Liveness Checking as Safety Checking

6

state part

• riginal

added by translation

• c=2

c=2 state save

c=2 c=2 state find fair detect fair loop

c=2 lb 1 c=2 1 c=2 1 c=2 2 1 − − − st 1 c=2 1 1 lb lb lc 1 fairness copy of b copy of c c status b (Büchi)

State-recording translation:

• 1. Guess loop start: save current state.
• 2. Find fair state in loop.
• 3. Find second occurrence of saved state.

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.

Complexity

7

1 2 3 1’ 3’ 2’ 1 2 3 1’ 3’ 2’ 1 2 3 1’ 3’ 2’ 1 2 3 1’ 3’ 2’ 1 2 3 1’ 3’ 2’ 1 2 3 1’ 3’ 2’ 1 2 3 1’ 3’ 2’ 1 2 3 1’ 3’ 2’ 1 2 3 1’ 3’ 2’ 1 2 3 1’ 3’ 2’

stem not fair loop body, fair loop body, loop closed |S| branches, no changing between branches

c=2 c=2 c=2 1 1 lb c=2 − − − st 1 c=2 1 c=2 1 lc 1 c=2 lb 1 c=2 2 c=2 1 lb 1

|SS| = O(|S|2) |T S| = O(|S|·|T|) rS, dS = O(d) |(T S)∗| = O(|S|·|T ∗|)

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.

Experiments

8

Show feasibility of model checking translated model: compare BDD-based symbolic model checking of LTL properties using – Standard algorithm: NuSMV 2.2.2, labeled LTL – Translated model: invariant checking in NuSMV 2.2.2, labeled L2S Remarks – LTL to B¨ uchi automata with NuSMV’s ltl2smv – No cone of influence reduction – BDD variable order: – Use static order if available – No dynamic reordering – Interleave original state variables and L2S copies

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.

Results

9

CPU time [seconds] — false CPU time [seconds] — true

3600 1000 100 10 1 0.1 0.1 3600 1000 100 10 1 0.1 0.1

LTL L2S

3600 1000 100 10 1 0.1 0.1 3600 1000 100 10 1 0.1 0.1

LTL L2S

Memory [# BDD nodes] — false Memory [# BDD nodes] — true

1e+08 1e+07 1e+06 1e+05 1e+04 1e+03 1e+08 1e+07 1e+06 1e+05 1e+04 1e+03

LTL L2S

1e+08 1e+07 1e+06 1e+05 1e+04 1e+03 1e+08 1e+07 1e+06 1e+05 1e+04 1e+03

LTL L2S

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.

Half-way Summary

10

Benefits – Find shortest lassos with a BDD-based model checker – Make tools and methods for safety available for liveness properties – Have quick and dirty liveness algorithm – Need fewer liveness proofs What’s more – Exponential speed up on selected examples – Extension to infinite state systems: regular model checking, pushdown systems, timed automata – Optimizations

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.

Contents

11

• 1. Model Checking 101
• 2. Liveness Checking as Safety Checking
• 3. Tight B¨

uchi Automata

• 4. Conclusions

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.

Tight B¨ uchi Automata

12

Not all B¨ uchi automata allow to find shortest counterexamples:

p,q p,q p q

system model p,q p q Büchi automaton (Büchi) product automaton LTL formula

¬ (p /\ X G q)

To find shortest counterexamples, for each counterexample the B¨ uchi au- tomaton must have an accepting run of the same shape as the counterex- ample: ∀α = βγω ∈ Lang(B) . ∃ρ = στω ∈ Runs(B) . ρ | = α∧|β| = |σ|∧|τ| = |γ| ⇒ Extend notion of tight automaton [Kupferman, Vardi ’01] to B¨ uchi aut.

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.

How Bad Is It?

13

Let – φ be a future time/mixed future and past time LTL property, – B¬φ be a B¨ uchi automaton constructed with the method of Gerth et al./Kesten et al. , and – α = βγω be a counterexample to φ. Then there is an accepting run ρ = στω on α in B¬φ with |σ| ≤ |β|+(h f/p (φ)+1)|γ| and |τ| = |γ| where h f/p is the maximum number of nested future/past operators. Popular methods to construct B¨ uchi automata may lead to counterexam- ples with excess length linear in the maximum number of nested operators. The method by Kesten et al. produces tight automata for future time LTL.

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.

Tightening B¨ uchi Automata

14

Assume the following (abstract) run and counterexample:

2 1 3 4 5 6 7 9 8 10 11 9 10 11 run a b c d e c d e c d e c d e cex

stem loop loop loop loop loop stem loop

Have different parts of run work in parallel: form vectors of states

6 7 8 9 10 11 2 1 3 4 5 run a b c d e cex

stem loop stem loop

6 7 8 9 10 11 6 7 8 9 10 11 a b c d e c d e cex

stem loop loop

2 1 3 4 5 3 4 5 run

loop loop stem

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.

Experiments

15

Determine counterexample length using – standard algorithm and standard automaton – invariant checking of translated model and standard automaton – invariant checking of translated model and tight automaton Compare finding shortest counterexamples with tight encoding using – SAT-based BMC [Heljanko, Junttila, Latvala ’05] ⇒ preliminary incremental implementation of [Latvala et al. ’05] modified NuSMV 2.2.2, labeled BMC – BDD-based invariant checking of translated model, labeled L2S Remarks – as before, but – no static order for BDDs (other than interleaving of original and L2S copies of state variables)

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.

Results: Reduction in Counterexample Length

16

50 100 150 200 250 300 350 400 length sample LTL, not tight L2S, not tight L2S, tight

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.

Results: BDDs vs. SAT

17

L2S vs incremental BMC – CPU time [seconds]

3600 1000 100 10 1 0.1 0.1 3600 1000 100 10 1 0.1 0.1

BMC (SAT) L2S (BDDs)

L2S vs incremental BMC – Memory [MByte]

1000 100 10 1 1000 100 10 1

BMC (SAT) L2S (BDDs)

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.

Related Work

18

Liveness Checking as Safety Checking: Shilov, Yi, Eo, O, Choe ’01/’05 Reduction of SOEPDL (> 2M of C. Stir- ling) to reachability. Requires closure under Cartesian product and subset constructions. More powerful but doubly exponential. Burch ’90 Reduction for timed trace structures. Requires user to come up with appropriate time constraint. Ultes-Nitsche ’02 Satisfaction within fairness corresponds to some safety

• property. May change semantics.

Tight B¨ uchi Automata: Kupferman, Vardi ’01 Shortest counterexamples for safety properties. Tight automata on finite words. Benedetti, Cimatti ’03 Virtual unrolling for BMC. Latvala, Biere, Heljanko, Junttila ’05 Inspiration for tight B¨ uchi automata.

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.

The End

19

Summary: – Feasible translation from liveness to safety – Tight B¨ uchi automata – Practical BDD-based method to find shortest counterexamples for LTL Future Work: – More powerful logics – Tight B¨ uchi automata for explicit state model checking – Complementary property of tightness

c 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ urich.