Introduction to Model-Checking Theory and Practice Beihang International Summer School 2018 Model Checking Linear Temporal Properties Model Checking “Model checking is the method by which a desired behavioral property of a reactive system is verified over a given system (the model) through exhaustive enumeration (explicit or implicit ) of all the states reachable by the system and the behaviors that traverse through them” Amir Pnueli (2000) Basic Properties • reachability (something is possible) • invariant (something is always true) the gate is closed when the train cross the road • safety (something bad never happen: ≡ ¬ 푅푒푎푐ℎ) • liveness (something good may eventually happen) every process will (eventually) gain access to the printer • Fairness (if it may happen ∞ often then it will happen) if messages cannot be lost ∞ often then I will received an ack Model-Checking • We have seen how to use a formal specification language to model the system (⇒ as a graph, but also as a language ℒ) • We have seen how to check basic properties on the reachability graph (and that SCC can be useful) • What if we want to check more general properties? User-Defined Properties • present before (we should see an 푎 before the first 푏) the latch must be locked before take-off • infinitely often (something will always happen, ≠ 퐴푙푤푎푦푠) the timer should always be triggered • leadsto (after every occurrence of 푎 there should be a 푏) there is an audible signal after the alarm is activated • … see example of specification patterns here [Dwyer] Model-Checking System + Requirements informal Description Description M of the of the 휙 behavior property operational denotational formalization verification Does 푀 ⊨ 휙 Does 푀 ≡ 퐺휙 yes / no / c. ex. present 푎 before 푏 • In every execution, action 푎 should occur before 푏 or there should be no 푏 푝1, 푝2, 푝6 푝0, 푝2 푝1, 푝2, 푝4 푝1, 푝5, 푝2 푝1, 푝3 present 푟푐푣 before 푎푐푘 Infinitely often 푎 • every “maximal execution” should have an unbounded number of 푎 equivalently: from every state, it is unavoidable to do an 푎 푝1, 푝2, 푝6 푝0, 푝2 푝1, 푝2, 푝4 푝1, 푝5, 푝2 푝1, 푝3 infinitely 푟푐푣 infinitely 푠푒푛푑 Infinitely often 푎 • every “maximal execution” should have an unbounded number of 푎 equivalently: from every state, it is unavoidable to do an 푎 푝1, 푝2, 푝6 Infinitely 푟푐푣 푝0, 푝2 푝1, 푝2, 푝4 푝1, 푝5, 푝2 푝1, 푝3 Infinitely often 푎 • every “maximal execution” should have an unbounded number of 푎 equivalently: from every state, it is unavoidable to do an 푎 푝1, 푝2, 푝6 Infinitely 푠푒푛푑 푝0, 푝2 푝1, 푝2, 푝4 푝1, 푝5, 푝2 푝1, 푝3 푎 leadsto 푏 • after every occurrence of action 푎 we should eventually find an occurrence of action 푏 or there is no 푎 푝1, 푝2, 푝6 푝0, 푝2 푝1, 푝2, 푝4 푝1, 푝5, 푝2 푝1, 푝3 푠푛푑 leadsto 푟푐푣 Model Checking Linear Temporal Properties using Language Inclusion Model-Checking System + Requirements informal Description Description M of the of the 휙 behavior property operational denotational formalization verification Does 푀 ⊨ 휙 Does 푀 ≡ 퐺휙 yes / no / c. ex. Model-Checking correct behavior 퐿(푀) 퐿 푀 ∩ 퐿 휙 counter-example 퐿 휙 Description Description M of the Does 퐿 푀 ⊆ 퐿(휙) ? of the 휙 behavior property present 푎 before 푏 • In every execution, action 푎 should occur before 푏 or there should be no 푏present 푎 before 푏 a = {a} 1 = {a, b, c, …} !a = {b, c, …} • idea: use set of words (language) of infinite length that go through a “red state” infinitely often present 푎 before 푏 • In every execution, action 푎 should occur before 푏 or there should be no 푏present 푎 before 푏 a = {a} 1 = {a, b, c, …} !a = {b, c, …} • Equivalently: find traces where “red places” are infinitely marked. present 푎 before 푏 푝1, 푝2, 푝6 푝0, 푝2 푝1, 푝2, 푝4 푝1, 푝5, 푝2 푝1, 푝3 02 00 01 present 푟푐푣 before 푎푐푘 12 10 13 14 11 Büchi Automata Büchi automata • In here we consider automata with a set of final, or accepting states 퐹 ⊆ 푄 • we use “red states” to mean accepting • It is a finite state automata with a different acceptance condition. An (infinite) word is accepted if it corresponds to an infinite run that contains infinitely many accepting states a = {a} 1 = {a, b, c, …} !a = {b, c, …} Example 푎. 푎. 푎. … 푎휔 is accepted 푎. 푎. 푏. 푎. 푏. 푎. … 푏. 푎 휔 is accepted 푎. 푎. 푏. 푏. 푏. … 푏 휔 is rejected 푎. 푏. 푎. 푏2. 푎. 푏3. … 푏푛. 푎 휔 is accepted Büchi automata • To find if there exist a word that is not accepted by a Büchi automata, it is enough to find a cycle without accepting state we know how to do it (remember Tarjan’s algorithm) • Same thing if we want to test if ℒ = ∅ Model Checking Linear Temporal Properties using Language Inclusion a better idea Model-Checking 퐿(푀) 퐿 푀 ∩ 퐿 휙 퐿 ∖ 퐿 휙 퐿 휙 Description Description M of the Does 퐿 푀 ∖ 퐿 휙 = ∅ ? of the 휙 behavior property present 푎 before 푏 • We disprove the property if we find a trace where 푏 can be reached without firing action 푎 a = {a} 퐿 ¬ 휙 ≡ 1 = {a, b, c, …} !a = {b, c, …} present 푎 before 푏 푝1, 푝2, 푝6 푝0, 푝2 푝1, 푝2, 푝4 푝1, 푝5, 푝2 푝1, 푝3 present 푟푐푣 before 푎푐푘 Infinitely often 푎 • From every state, it is unavoidable to do an 푎 ≡ 퐿 휙 Infinitely often 푎 • We disprove the property if we find a trace without a single 푎 (maybe after some other transitions fire) ≡ 퐿 ¬ 휙 Infinitely often 푎 10 12 infinitely 푟푐푣 11 10 Infinitely often 푎 100 010 001 001 100 010 100 푎 leadsto 푏 • after every 푎 we eventually find a 푏 We disprove the property if we find an 푎 followed by an infinite sequence (a SCC) without 푏 푠푛푑 leadsto 푟푐푣 What you need to remember • We can check more complex properties using an automata-theoretic approach • It is often easier to try to disprove the property 퐴 푆푦푠 ⊗ 퐴 ¬휙 = ∅ • We need automata that accept infinite words → different acceptance criterion (Büchi-automaton) • There is a link with SCC (infinitely often ≈ cycle) Model Checking LTL, a Principled Approach Model-Checking • We have seen how to use “language inclusion” (product of automata and search for an infinite path) to express temporal properties on a system • What if we want to check more general properties? Is there a more friendly way to define temporal properties ? • How can we derive an automaton from it Classical logic • logic is the systematic study of the form of valid inference • Aristotle (322 BC) • Clarence Lewis (∼1910) for its actual form • A formula is valid iff it is true under every interpretation. • An argument form (or schema) is valid iff every argument is valid wikipedia Non-classical logics • Example of valid argument form (or schema) (퐴 ⇒ 퐵 ∧ 퐴) ⇒ 퐵 • Predicate logic has propositional variables (퐴, 퐵, …) and connectives (∧, ¬, ⇒, …) • There are also non-classical logics, such as modal logics, that extend logic with operators (modalities) expressing the fact that the truth may depends on the context examples are beliefs: I am certain vs it is possible; permissions (deontic logic): it is permissible vs it is obligatory; and time: always vs eventually Temporal logic Amir Pnueli (1941—2009) “In mathematics, logic is static. It deals with connections among entities that exist in the same time frame. When one designs a dynamic computer system that has to react to ever changing conditions, … one cannot design the system based on a static view. It is necessary to characterize and describe dynamic behaviors that connect entities, events, and reactions at different time points. Temporal Logic deals therefore with a dynamic view of the world that evolves over time." Atomic proposition • We start by defining atomic propositions statements about the here and now ! • We assume a set of propositional variables {푝1, 푝2, … , 푝푛} • We will use the language of logic. Atomic Formulas are built from P. V. and from connectives 푎, 푏, … ∷= 푝 ¬푎 푎 ∧ 푏 | … • e.g.: 푝1 ∧ (푝2 ∨ ¬푝3) 푝1 ⇒ 푝2 ≡ ¬푝1 ∨ 푝2 Atomic Prop.: event/state-based • If we want to deal with events (transitions), we can choose atomic propositions 푎, 푏, … that corresponds to event names: • 푡1 • 푑푒푎푑 • We can also choose to deal with states (markings) • 푝1 + 2. 푝3 ≤ 4 푝1 ≡ (푝1 ≥ 1) • 퐹푖푟푎푏푙푒(푡) • 푑푒푎푑 • 푖푛푖푡푖푎푙 (`0) (from now on we consider only “state-based” formulas) Linear Temporal Logic • The logic has two main connectives 퐹 휙: reads “finally” (eventually) 휙 is true 퐺 휙: reads “globally” (always) 휙 is true 휙, 휓, … ∷= 푎 ¬휙 휙1 ∧ 휙2 퐹 휙 퐺 휙 • So you can write formulas such as: 퐺 (푝1 ⇒ 퐹 푝2 + 푝3 ≤ 푝4 ) ¬ 퐹 푑푒푎푑 ∨ 퐺 (¬푝2) 퐹 퐺 푝1 ∧ 퐺 퐹 푝2 퐺 ( 퐺 푡1 ∨ (퐺 푡2)) Linear Temporal Logic • The logic has two main connectives 퐹 휙: reads “finally” (eventually) 휙 is true, also []휙 퐺 휙: reads “globally” (always) 휙 is true, also 〈〉휙 • There is another possible presentation based on two additional connectives 휙 푈 휓: reads “휙 holds until 휓” 푋휙 : reads “next” 휙 holds, also written ()휙 LTL—syntax equivalence 퐹 휙 〈 〉휙 finally 퐺 휙 휙 globally 푋 휙 휙 next 휙 푈 휓 휙 푈 휓 until ! 휙 ¬휙 negation SPIN syntax selt syntax Pinyin name LTL—semantics • LTL formulas are interpreted on (maximal) traces, 푤 = 푤0. 푤1. … . 푤푖. … for “state-based” properties, 푤푖 is a state ≡ the set of atomic propositions true in 푤푖 • We call 푤(푖) the 푖th element in 푤 • We use the notation 푤, 푖 ⊨ 휙 to say that 휙 holds for 푤 from position 푖 푤 ⊨ 휙 ⇔ 푤, 0 ⊨ 휙 satisfaction relation ⊨ LTL—semantics 푤 ⊨ 휙 ? 푤, 2 ⊨ ϕ … 푤, 푖 ⊨ ϕ … 푤, 푘 ⊨ ϕ 푤0 푤1 푤2 … 푤푖 … 푤푘 LTL—atomic propositions • For atomic propositions, 푎, we can say whether it holds for 푤푖 or not (we write 푤푖 ⊨ 푎 if it holds).