Liveness Checking as Safety Checking to Find Shortest - PowerPoint PPT Presentation

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties Viktor Schuppan Computer Systems Institute, ETH Z¨ urich http://www.inf.ethz.ch/˜schuppan/ Defense Thesis ETH 16268 September 28, 2005, Z¨ urich, Switzerland

Safety vs. Liveness 2 [Lamport ’77], [Alpern, Schneider ’85] Safety Liveness “Something bad will “Something good will not happen.” eventually happen.” It remains possible for the The “bad thing” “good thing” to occur. is irremediable. � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Model Checking of Safety Properties 3 [Kupferman, Vardi ’01] G (c = 2) LTL formula 0 1 2 c=2 c=2 system model finite state automaton 0 1 2 c=2 c=2 c=2 (finite state) product automaton Property is false iff a bad state is reachable. ⇒ Find shortest finite path to bad state. � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Model Checking of Liveness Properties 4 [Vardi, Wolper ’86] F G (c = 2) LTL formula 0 1 2 c=2 c=2 system model Büchi automaton 0 1 2 c=2 c=2 c=2 (Büchi) product automaton Property is false iff there is an (infinite) fair path. ⇒ Find fair lasso. � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Contents 5 1. Model Checking 101 2. Liveness Checking as Safety Checking 3. Tight B¨ uchi Automata 4. Conclusions � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

✟ ✞ ✆ ☎ ☎ ☎ ✄ ✄ ✄ ✂ ✂ ✂ ✝ ✝ ✝ ✝ ✞ ✆ � ✠ ✠ ✠ ✟ � � ✟ ✁ ✟ ✞ ✞ ✁ ✁ ✁ ✆ Liveness Checking as Safety Checking 6 detect save fair loop state original c 0 1 2 0 1 state part b (Büchi) c=2 c=2 c=2 c=2 c=2 copy of c − 1 1 ✠ 1 1 copy of b − c=2 c=2 c=2 c=2 added by translation status st lb lb lb lc − 0 1 1 1 fairness find fair state State-recording translation: 1. Guess loop start: save current state. 2. Find fair state in loop. 3. Find second occurrence of saved state. � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Complexity 7 1 2 1 2 1 2 1’ 2’ 1’ 2’ 1’ 2’ 3 3 3 c=2 c=2 loop closed lc 1 1 1 3’ 3’ 3’ c=2 c=2 1 2 1 2 1 2 lb 0 1 1 loop body, 1’ 2’ 1’ 2’ 1’ 2’ 3 3 3 3’ 3’ 3’ fair c=2 c=2 lb 2 1 1 1 2 1 2 1 2 loop body, 1’ 2’ 1’ 2’ 1’ 2’ 3 3 3 c=2 c=2 not fair lb 1 1 0 3’ 3’ 3’ 1 2 stem 1’ 2’ 3 c=2 st 0 − − − 3’ |S| branches, no changing between branches | S S | O ( | S | 2 ) | T S | = = O ( | S |·| T | ) | ( T S ) ∗ | O ( | S |·| T ∗ | ) r S , d S = O ( d ) = � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Experiments 8 Show feasibility of model checking translated model: compare BDD-based symbolic model checking of LTL properties using – Standard algorithm: NuSMV 2.2.2, labeled LTL – Translated model: invariant checking in NuSMV 2.2.2, labeled L2S Remarks – LTL to B¨ uchi automata with NuSMV’s ltl2smv – No cone of influence reduction – BDD variable order: – Use static order if available – No dynamic reordering – Interleave original state variables and L2S copies � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Results 9 CPU time [seconds] — false CPU time [seconds] — true 3600 3600 1000 1000 100 100 LTL LTL 10 10 1 1 0.1 0.1 0.1 0.1 0.1 0.1 1 10 100 1000 3600 0.1 0.1 1 10 100 1000 3600 L2S L2S Memory [# BDD nodes] — false Memory [# BDD nodes] — true 1e+08 1e+08 1e+07 1e+07 1e+06 1e+06 LTL LTL 1e+05 1e+05 1e+04 1e+04 1e+03 1e+03 1e+03 1e+04 1e+05 1e+06 1e+07 1e+08 1e+03 1e+04 1e+05 1e+06 1e+07 1e+08 L2S L2S � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Half-way Summary 10 Benefits – Find shortest lassos with a BDD-based model checker – Make tools and methods for safety available for liveness properties – Have quick and dirty liveness algorithm – Need fewer liveness proofs What’s more – Exponential speed up on selected examples – Extension to infinite state systems: regular model checking, pushdown systems, timed automata – Optimizations � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Contents 11 1. Model Checking 101 2. Liveness Checking as Safety Checking 3. Tight B¨ uchi Automata 4. Conclusions � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Tight B¨ uchi Automata 12 Not all B¨ uchi automata allow to find shortest counterexamples: ¬ (p /\ X G q) LTL formula p,q p q system model Büchi automaton p,q p,q p q (Büchi) product automaton To find shortest counterexamples, for each counterexample the B¨ uchi au- tomaton must have an accepting run of the same shape as the counterex- ample: ∀ α = βγ ω ∈ Lang ( B ) . ∃ ρ = στ ω ∈ Runs ( B ) . ρ | = α ∧| β | = | σ |∧| τ | = | γ | ⇒ Extend notion of tight automaton [Kupferman, Vardi ’01] to B¨ uchi aut. � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

How Bad Is It? 13 Let – φ be a future time/mixed future and past time LTL property, – B ¬ φ be a B¨ uchi automaton constructed with the method of Gerth et al./Kesten et al. , and – α = βγ ω be a counterexample to φ . Then there is an accepting run ρ = στ ω on α in B ¬ φ with | σ | ≤ | β | +( h f / p ( φ )+ 1 ) | γ | and | τ | = | γ | where h f / p is the maximum number of nested future/past operators. Popular methods to construct B¨ uchi automata may lead to counterexam- ples with excess length linear in the maximum number of nested operators. The method by Kesten et al. produces tight automata for future time LTL. � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Tightening B¨ uchi Automata 14 Assume the following (abstract) run and counterexample: run 1 2 3 4 5 6 7 8 9 10 11 9 10 11 stem loop loop cex a b c d e c d e c d e c d e stem loop loop loop loop Have different parts of run work in parallel: form vectors of states 9 10 11 9 10 11 9 10 11 6 7 8 6 7 8 6 7 8 run 1 2 3 4 5 run 1 2 3 4 5 3 4 5 stem loop stem loop loop cex a b c d e cex a b c d e c d e stem loop stem loop loop � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Experiments 15 Determine counterexample length using – standard algorithm and standard automaton – invariant checking of translated model and standard automaton – invariant checking of translated model and tight automaton Compare finding shortest counterexamples with tight encoding using – SAT-based BMC [Heljanko, Junttila, Latvala ’05] ⇒ preliminary incremental implementation of [Latvala et al. ’05] modified NuSMV 2.2.2, labeled BMC – BDD-based invariant checking of translated model, labeled L2S Remarks – as before, but – no static order for BDDs (other than interleaving of original and L2S copies of state variables) � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Results: Reduction in Counterexample Length 16 400 LTL, not tight L2S, not tight 350 L2S, tight 300 250 length 200 150 100 50 0 sample � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Results: BDDs vs. SAT 17 L2S vs incremental BMC L2S vs incremental BMC – CPU time [seconds] – Memory [MByte] 3600 1000 1000 BMC (SAT) BMC (SAT) 100 100 10 10 1 0.1 0.1 1 0.1 0.1 1 10 100 1000 3600 1 10 100 1000 L2S (BDDs) L2S (BDDs) � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Related Work 18 Liveness Checking as Safety Checking: Shilov, Yi, Eo, O, Choe ’01/’05 Reduction of SOEPDL ( > 2M of C. Stir- ling) to reachability. Requires closure under Cartesian product and subset constructions. More powerful but doubly exponential. Burch ’90 Reduction for timed trace structures. Requires user to come up with appropriate time constraint. Ultes-Nitsche ’02 Satisfaction within fairness corresponds to some safety property. May change semantics. Tight B¨ uchi Automata: Kupferman, Vardi ’01 Shortest counterexamples for safety properties. Tight automata on finite words. Benedetti, Cimatti ’03 Virtual unrolling for BMC. Latvala, Biere, Heljanko, Junttila ’05 Inspiration for tight B¨ uchi automata. � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

The End 19 Summary: – Feasible translation from liveness to safety – Tight B¨ uchi automata – Practical BDD-based method to find shortest counterexamples for LTL Future Work: – More powerful logics – Tight B¨ uchi automata for explicit state model checking – Complementary property of tightness � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.