Model Checking in the Propositional -Calculus Ka I Violet Pun INF - - PowerPoint PPT Presentation

Model Checking in the Propositional µ-Calculus

Ka I Violet Pun INF 9140 - Specification and Verification of Parallel Systems

13th May, 2011

Overview

Model Checking is a useful means to automatically ascertain the specification of a system

Use logics to specify the properties of a system Use a decision procedure to decide if the system satisfies the specification

Propositional µ-Calculus

Branching time temporal logic Expressive logic: many branching time logics can be translated into this logic Fully characterize the behaviour of finite-state processes

Tableau-based proof system

Top-down proofs Determine whether states in a finite-state system satisfy propositions specified in µ-calculus

Violet Pun Model Checking in the Propositional µ-Calculus 2 / 24

Syntax

Grammar of the propositions

Φ ::= A | X | ¬Φ | Φ ∨ Φ | aΦ | νX.Φ formula {Φ, . . . , } atomic formulas A = {A, . . . , } propositional variables V = {X, . . . , } actions symbols Act = {a, . . . , } propositional connectives ¬ and ∨ modal operator a recursion operator ν

Violet Pun Model Checking in the Propositional µ-Calculus 3 / 24

Syntax

Modal operators in µ-calculus are indexed by an action a [a]Φ can be written as ¬a¬Φ

Φ ¬Φ

a a

Φ’

b

Figure: aΦ Φ

a a

Φ’

b

Φ Figure: [a]Φ

Violet Pun Model Checking in the Propositional µ-Calculus 4 / 24

Syntax

Recursion operators are used for recursive formula νX.Φ and µX.Φ, ν is a greatest fixed point operator µ is a least fixed point operator µX.Φ is written as ¬νX.¬Φ[¬X/X] Syntactic Restrictions on Φ Any occurrence of X in Φ must occur inside the scope of an even number of negation to maintain monotonicity

Violet Pun Model Checking in the Propositional µ-Calculus 5 / 24

Transition System

Models of µ-calculus is a labelled transition system A representation of operational behaviour of procecsses S, Act, →

S is a set of states {s, . . . } Act is a set of actions {a, . . . } → is a transition relation on S × Act × S, written as s

a

− → s′ for some state s′

Violet Pun Model Checking in the Propositional µ-Calculus 6 / 24

Model of µ-calculus

Models for the µ-calculus is a quadruple of the form S, Act, →, V S, Act, → is a labelled transition system V is a function, called valuation, maps each A ∈ A to sets of states where A holds

Violet Pun Model Checking in the Propositional µ-Calculus 7 / 24

Semantics of the propositions

Semantics of the µ-calculus is written in the form Φe

Ae = V (A) Xe = e(X) ¬Φe = S − Φe Φ1 ∨ Φ2e = Φ1e ∪ Φ2e aΦe = ϕa(Φe), where ϕa(S) = {s′ | ∃s ∈ S.s′

a

− → s} νX.Φe = {S ⊆ S | S ⊆ Φe[X → S]}

Remarks

1 e is an environment which maps variables to sets of states 2 e[X → S] represents the environment e with variable X

replaced by S

Violet Pun Model Checking in the Propositional µ-Calculus 8 / 24

Lattice

For any set χ, 2χ, ⊆, ∪, ∩ is a complete lattice where 2χ a set ⊆ ordering relation 2χ, ⊆ is a partially ordered set ∪ the least upper bound ∩ the greatest lower bound

Violet Pun Model Checking in the Propositional µ-Calculus 9 / 24

Fixed points

A fixed point of a function φ over a lattice is φ(S) = S, where S ⊆ χ and a set of fixed points is written as {S ⊆ χ | φ(S) = S} A greatest fixed point, X, of φ is X ∈ {S ⊆ χ | φ(S) = S} ∃X ′, X ′ ∈ {S ⊆ χ | φ(S) = S}, X ′ ⊆ X A least fixed point, X, of φ is X ∈ {S ⊆ χ | φ(S) = S} ∃X ′, X ′ ∈ {S ⊆ χ | φ(S) = S}, X ⊆ X ′

Violet Pun Model Checking in the Propositional µ-Calculus 10 / 24

Fixed points

A function φ is monotone over a lattice if X1 ⊆ X2 φ(X1) ⊆ φ(X2)

Tarski’s Fixed Point Theorem

If the function φ over a lattice is monotonic, then it has Greatest fixed point νφ

• {S ⊆ χ | S ⊆ φ(S)}

Least fixed point µφ

• {S ⊆ χ | φ(S) ⊆ S}

Violet Pun Model Checking in the Propositional µ-Calculus 11 / 24

Fixed points

For µ-calculus, given an environment e, a function φ is defined by φ(S) = Φe[X → S] Syntactic Restrictions on Φ Any occurrences of X in Φ must occur inside the scope of an even number of negation guarantees function φ over a lattice defined by 2S to be monotonic, because ¬ is anti-monotonic Hence, φ has a greatest fixed point νφ.

Violet Pun Model Checking in the Propositional µ-Calculus 12 / 24

Fixed points

2S, ⊆, ∪, ∩ is finite every monotonic function over a finite complete lattice is continuous

Kleene’s Fixed Point Theorem

The greatest/least fixed point of a continuous funtion φ νφ = ∞

i=0 φi

µφ = ∞

i=0 φ′ i

where φ0 = S φi+1 = φ(φi) φ′ = ∅ φ′

i+1

= φ(φ′

i)

Violet Pun Model Checking in the Propositional µ-Calculus 13 / 24

Fixed points

¡

!" = ⋃!!!

! !′! ¡

¡

!" = ⋂!!!

! !! ¡

¡

∅ ¡ ! ¡ !(!!) ¡ ⋂!!!

!

!! ¡ ⋃!!!

!

!′! ¡ !(!′!) ¡ ! ⊆ ! ¡ ! ! = !} ¡ ! ⊆ ! ¡ ¡! ⊆ !(!)} ¡ ! ⊆ ! ¡ ¡!(!) ⊆ !} ¡ !" = ⋂ ! ⊆ ! ¡ ¡! ! = !} ¡ = ⋂ ! ⊆ ! ¡ ¡!(!) ⊆ !} ¡ !" = ⋃ ! ⊆ ! ¡ ! ! = !} ¡ = ⋃ ! ⊆ ! ¡ ¡! ⊆ !(!)} ¡

Violet Pun Model Checking in the Propositional µ-Calculus 14 / 24

The Tableau-Based Proof System

The proofs are conducted in a top-down fashion: conclusions above premises A decision procedure to determine if states have properties specified Not necessary to examine every state in the system Reuse information computated in one phase of the tableau construction process

Violet Pun Model Checking in the Propositional µ-Calculus 15 / 24

The Tableau-Based Proof System

Proof rules operate on sequents

Sequents

H ⊢M s ∈ Φ M is a model s is a state from M H is a set of hypotheses {s′:Γ}

s′ a state Γ a closed recursive formula

written as σ, . . . , for short

Violet Pun Model Checking in the Propositional µ-Calculus 16 / 24

The Tableau-Based Proof System

Tableau for a sequent σ is a maximal proof tree constructed by the tableau rules and having σ as the root Given a sequent σ′ that is resulting from applying a rule to σ,

σ′ is the child of σ σ is the parent of σ′

a sequent in a tableau is a leaf if it does not have any children the height of a tableau is the length of the longest sequence σ0, σ1, . . .

Violet Pun Model Checking in the Propositional µ-Calculus 17 / 24

The Tableau-Based Proof System

Definition

A leaf H ⊢ s ∈ Φ is successful if

1 Φ ∈ A and s ∈ V (Φ), or 2 Φ is ¬A for some A ∈ A and s ∈ V (A), or 3 Φ is ¬aΦ′ for some a and Φ′, or 4 Φ is νX.Φ′ when s : νX.Φ ∈ H for some X and Φ′

A tableau is successful when all its leaves are successful A sequent σ has a proof if it has a successful tableau

Violet Pun Model Checking in the Propositional µ-Calculus 18 / 24

Tableau rules for the propositional µ-calculus

R1

H ⊢ s ∈ ¬¬Φ H ⊢ s ∈ Φ

R2

H ⊢ s ∈ Φ1 ∨ Φ2 H ⊢ s ∈ Φ1

R3

H ⊢ s ∈ Φ1 ∨ Φ2 H ⊢ s ∈ Φ2

R4

H ⊢ s ∈ ¬(Φ1 ∨ Φ2) H ⊢ s ∈ ¬Φ1, H ⊢ s ∈ ¬Φ2

R5

H ⊢ s ∈ aΦ (s′ ∈ {s′ | s

a

− → s′}) H ⊢ s′ ∈ Φ

R6

H ⊢ s ∈ ¬aΦ ({s1, s2, ...} = {s′ | s

a

− → s′}) H ⊢ s1 ∈ ¬Φ, H ⊢ s2 ∈ ¬Φ, . . .

R7

H ⊢ s ∈ νX.Φ (s : νX.Φ ∈ H) H′ ∪ {s : νX.Φ} ⊢ s ∈ Φ[νX.Φ/X]

R8

H ⊢ s ∈ ¬νX.Φ (s : νX.Φ ∈ H) H′ ∪ {s : νX.Φ} ⊢ s ∈ ¬Φ[νX.Φ/X] where H′ = H − {s′ : Γ | νX.Φ ≺ Γ}

Violet Pun Model Checking in the Propositional µ-Calculus 19 / 24

Tableau rules for the propositional µ-calculus

R7

H ⊢ s ∈ νX.Φ (s : νX.Φ ∈ H) H′ ∪ {s : νX.Φ} ⊢ s ∈ Φ[νX.Φ/X] where H′ = H − {s′ : Γ | νX.Φ ≺ Γ}

A state satisifes a recursive property if it satisfies the unrolling of the property. Assumptions involving formulas having the the recursive formula as a subformula are removed.

Violet Pun Model Checking in the Propositional µ-Calculus 20 / 24

Model Checking Algorithm

Example algorithm: a simple straightforward procedure

Violet Pun Model Checking in the Propositional µ-Calculus 21 / 24

Model Checking Algorithm

The simple algorithm is not efficient Exponential behaviour for formulas Reason: Nested modal operator No provision for storing the reseults of sequents whose truth has been determined

Violet Pun Model Checking in the Propositional µ-Calculus 22 / 24

Possible solution

Save the result from the previous computation and look it up later Truth of sequents can be deduced solely based on the truth of the other sequents Suppose that H ⊢ s ∈ νX.Φ has a successful tableau. Then H ∪ {s : νX.Φ} ⊢ s′ ∈ Γ has a successful tableau if and only if H ⊢ s′ ∈ Γ does.

Violet Pun Model Checking in the Propositional µ-Calculus 23 / 24

References I

[Cleaveland, 1990] Cleaveland, R. (1990). Tableau-based model checking in the propositional mu-calculus. Acta Informatica, 27:725–747. [Emerson, 1997] Emerson, E. A. (1997). Model checking and the mu-calculus. In DIMACS Series in Discrete Mathematics, pages 185–214. American Mathematical Society. [Nielson et al., 1999] Nielson, F., Nielson, H.-R., and Hankin, C. L. (1999). Principles of Program Analysis. Springer-Verlag.

Violet Pun Model Checking in the Propositional µ-Calculus 24 / 24