Model Checking in the Propositional -Calculus Ka I Violet Pun INF - PowerPoint PPT Presentation

Model Checking in the Propositional µ -Calculus Ka I Violet Pun INF 9140 - Specification and Verification of Parallel Systems 13 th May, 2011

Overview Model Checking is a useful means to automatically ascertain the specification of a system Use logics to specify the properties of a system Use a decision procedure to decide if the system satisfies the specification Propositional µ -Calculus Branching time temporal logic Expressive logic: many branching time logics can be translated into this logic Fully characterize the behaviour of finite-state processes Tableau-based proof system Top-down proofs Determine whether states in a finite-state system satisfy propositions specified in µ -calculus Violet Pun Model Checking in the Propositional µ -Calculus 2 / 24

Syntax Grammar of the propositions Φ ::= A | X | ¬ Φ | Φ ∨ Φ | � a � Φ | ν X . Φ formula { Φ , . . . , } atomic formulas A = { A , . . . , } propositional variables V = { X , . . . , } actions symbols Act = { a , . . . , } propositional connectives ¬ and ∨ modal operator � a � recursion operator ν Violet Pun Model Checking in the Propositional µ -Calculus 3 / 24

Syntax Modal operators in µ -calculus are indexed by an action a [ a ]Φ can be written as ¬� a �¬ Φ a a a b a b Φ ¬Φ Φ’ Φ Φ Φ’ Figure: � a � Φ Figure: [ a ]Φ Violet Pun Model Checking in the Propositional µ -Calculus 4 / 24

Syntax Recursion operators are used for recursive formula ν X . Φ and µ X . Φ, ν is a greatest fixed point operator µ is a least fixed point operator µ X . Φ is written as ¬ ν X . ¬ Φ[ ¬ X / X ] Syntactic Restrictions on Φ Any occurrence of X in Φ must occur inside the scope of an even number of negation to maintain monotonicity Violet Pun Model Checking in the Propositional µ -Calculus 5 / 24

Transition System Models of µ -calculus is a labelled transition system A representation of operational behaviour of procecsses �S , Act , →� S is a set of states { s , . . . } Act is a set of actions { a , . . . } a → is a transition relation on S × Act × S , written as s − → s ′ for some state s ′ Violet Pun Model Checking in the Propositional µ -Calculus 6 / 24

Model of µ -calculus Models for the µ -calculus is a quadruple of the form �S , Act , → , V � �S , Act , →� is a labelled transition system V is a function, called valuation , maps each A ∈ A to sets of states where A holds Violet Pun Model Checking in the Propositional µ -Calculus 7 / 24

Semantics of the propositions Semantics of the µ -calculus is written in the form � Φ � e � A � e = V ( A ) � X � e = e ( X ) � ¬ Φ � e = S − � Φ � e � Φ 1 ∨ Φ 2 � e = � Φ 1 � e ∪ � Φ 2 � e ϕ a ( � Φ � e ) , where ϕ a ( S ) = { s ′ | ∃ s ∈ S . s ′ a � � a � Φ � e = − → s } � ν X . Φ � e = � { S ⊆ S | S ⊆ � Φ � e [ X �→ S ] } Remarks 1 e is an environment which maps variables to sets of states 2 e [ X �→ S ] represents the environment e with variable X replaced by S Violet Pun Model Checking in the Propositional µ -Calculus 8 / 24

Lattice For any set χ , � 2 χ , ⊆ , ∪ , ∩� is a complete lattice where 2 χ a set ⊆ ordering relation � 2 χ , ⊆� is a partially ordered set ∪ the least upper bound ∩ the greatest lower bound Violet Pun Model Checking in the Propositional µ -Calculus 9 / 24

Fixed points A fixed point of a function φ over a lattice is φ ( S ) = S , where S ⊆ χ and a set of fixed points is written as { S ⊆ χ | φ ( S ) = S } A greatest fixed point, X, of φ is X ∈ { S ⊆ χ | φ ( S ) = S } ∃ X ′ , X ′ ∈ { S ⊆ χ | φ ( S ) = S } , X ′ ⊆ X A least fixed point, X, of φ is X ∈ { S ⊆ χ | φ ( S ) = S } ∃ X ′ , X ′ ∈ { S ⊆ χ | φ ( S ) = S } , X ⊆ X ′ Violet Pun Model Checking in the Propositional µ -Calculus 10 / 24

Fixed points A function φ is monotone over a lattice if X 1 ⊆ X 2 φ ( X 1 ) ⊆ φ ( X 2 ) Tarski’s Fixed Point Theorem If the function φ over a lattice is monotonic, then it has Greatest fixed point νφ � { S ⊆ χ | S ⊆ φ ( S ) } Least fixed point µφ � { S ⊆ χ | φ ( S ) ⊆ S } Violet Pun Model Checking in the Propositional µ -Calculus 11 / 24

Fixed points For µ -calculus, given an environment e , a function φ is defined by φ ( S ) = � Φ � e [ X �→ S ] Syntactic Restrictions on Φ Any occurrences of X in Φ must occur inside the scope of an even number of negation guarantees function φ over a lattice defined by 2 S to be monotonic, because ¬ is anti-monotonic Hence, φ has a greatest fixed point νφ . Violet Pun Model Checking in the Propositional µ -Calculus 12 / 24

Fixed points � 2 S , ⊆ , ∪ , ∩� is finite every monotonic function over a finite complete lattice is continuous Kleene’s Fixed Point Theorem The greatest/least fixed point of a continuous funtion φ � ∞ νφ = i =0 φ i � ∞ i =0 φ ′ µφ = i where φ 0 = S φ i +1 = φ ( φ i ) φ ′ = ∅ 0 φ ′ φ ( φ ′ = i ) i +1 Violet Pun Model Checking in the Propositional µ -Calculus 13 / 24

Fixed points ¡ ! ¡ ! ( ! ! ) ¡ ! ⊆ ! ¡ ¡ ! ( ! ) ⊆ ! } ¡ ⋂ ! ! ! ! ! ! ¡ !" = ⋃ ! ⊆ ! ¡ ! ! = ! } ¡ ! ! ! ¡ !" = ⋂ ! ! ! = ⋃ ! ⊆ ! ¡ ¡ ! ⊆ ! ( ! ) } ¡ ¡ ! ⊆ ! ¡ ! ! = ! } ¡ !" = ⋂ ! ⊆ ! ¡ ¡ ! ! = ! } ¡ ! ! ′ ! ¡ !" = ⋃ ! ! ! = ⋂ ! ⊆ ! ¡ ¡ ! ( ! ) ⊆ ! } ¡ ¡ ⋃ ! ! ! ! ! ′ ! ¡ ! ⊆ ! ¡ ¡ ! ⊆ ! ( ! ) } ¡ ! ( ! ′ ! ) ¡ ∅ ¡ Violet Pun Model Checking in the Propositional µ -Calculus 14 / 24

The Tableau-Based Proof System The proofs are conducted in a top-down fashion: conclusions above premises A decision procedure to determine if states have properties specified Not necessary to examine every state in the system Reuse information computated in one phase of the tableau construction process Violet Pun Model Checking in the Propositional µ -Calculus 15 / 24

The Tableau-Based Proof System Proof rules operate on sequents Sequents H ⊢ M s ∈ Φ M is a model s is a state from M H is a set of hypotheses { s ′ :Γ } s ′ a state Γ a closed recursive formula written as σ, . . . , for short Violet Pun Model Checking in the Propositional µ -Calculus 16 / 24

The Tableau-Based Proof System Tableau for a sequent σ is a maximal proof tree constructed by the tableau rules and having σ as the root Given a sequent σ ′ that is resulting from applying a rule to σ , σ ′ is the child of σ σ is the parent of σ ′ a sequent in a tableau is a leaf if it does not have any children the height of a tableau is the length of the longest sequence � σ 0 , σ 1 , . . . � Violet Pun Model Checking in the Propositional µ -Calculus 17 / 24

The Tableau-Based Proof System Definition A leaf H ⊢ s ∈ Φ is successful if 1 Φ ∈ A and s ∈ V (Φ), or 2 Φ is ¬ A for some A ∈ A and s �∈ V ( A ), or 3 Φ is ¬� a � Φ ′ for some a and Φ ′ , or 4 Φ is ν X . Φ ′ when s : ν X . Φ ∈ H for some X and Φ ′ A tableau is successful when all its leaves are successful A sequent σ has a proof if it has a successful tableau Violet Pun Model Checking in the Propositional µ -Calculus 18 / 24

Tableau rules for the propositional µ -calculus H ⊢ s ∈ ¬¬ Φ H ⊢ s ∈ Φ 1 ∨ Φ 2 R 1 R 2 H ⊢ s ∈ Φ 1 H ⊢ s ∈ Φ H ⊢ s ∈ Φ 1 ∨ Φ 2 H ⊢ s ∈ ¬ (Φ 1 ∨ Φ 2 ) R 3 R 4 H ⊢ s ∈ Φ 2 H ⊢ s ∈ ¬ Φ 1 , H ⊢ s ∈ ¬ Φ 2 H ⊢ s ∈ � a � Φ ( s ′ ∈ { s ′ | s a R 5 − → s ′ } ) H ⊢ s ′ ∈ Φ H ⊢ s ∈ ¬� a � Φ ( { s 1 , s 2 , ... } = { s ′ | s a R 6 − → s ′ } ) H ⊢ s 1 ∈ ¬ Φ , H ⊢ s 2 ∈ ¬ Φ , . . . H ⊢ s ∈ ν X . Φ R 7 ( s : ν X . Φ �∈ H ) H ′ ∪ { s : ν X . Φ } ⊢ s ∈ Φ[ ν X . Φ / X ] H ⊢ s ∈ ¬ ν X . Φ R 8 ( s : ν X . Φ �∈ H ) H ′ ∪ { s : ν X . Φ } ⊢ s ∈ ¬ Φ[ ν X . Φ / X ] where H ′ = H − { s ′ : Γ | ν X . Φ ≺ Γ } Violet Pun Model Checking in the Propositional µ -Calculus 19 / 24

Tableau rules for the propositional µ -calculus H ⊢ s ∈ ν X . Φ ( s : ν X . Φ �∈ H ) R 7 H ′ ∪ { s : ν X . Φ } ⊢ s ∈ Φ[ ν X . Φ / X ] where H ′ = H − { s ′ : Γ | ν X . Φ ≺ Γ } A state satisifes a recursive property if it satisfies the unrolling of the property. Assumptions involving formulas having the the recursive formula as a subformula are removed. Violet Pun Model Checking in the Propositional µ -Calculus 20 / 24

Model Checking Algorithm Example algorithm: a simple straightforward procedure Violet Pun Model Checking in the Propositional µ -Calculus 21 / 24

Model Checking Algorithm The simple algorithm is not efficient Exponential behaviour for formulas Reason: Nested modal operator No provision for storing the reseults of sequents whose truth has been determined Violet Pun Model Checking in the Propositional µ -Calculus 22 / 24

Possible solution Save the result from the previous computation and look it up later Truth of sequents can be deduced solely based on the truth of the other sequents Suppose that H ⊢ s ∈ ν X . Φ has a successful tableau. Then H ∪ { s : ν X . Φ } ⊢ s ′ ∈ Γ has a successful tableau if and only if H ⊢ s ′ ∈ Γ does. Violet Pun Model Checking in the Propositional µ -Calculus 23 / 24