Model Checking: the Interval Way Angelo Montanari Dept. of - PowerPoint PPT Presentation

Model Checking: the Interval Way Angelo Montanari Dept. of Mathematics, Computer Science, and Physics University of Udine, Italy 34th Italian Conference on Computational Logic (CILC) Trieste (Italy), June 21st, 2019 Model Checking: the Interval Way Angelo Montanari

Model checking Model checking: the desired properties of a system are checked against a model of it ◮ the model is usually a (finite) state-transition system ◮ system properties are specified by a temporal logic (LTL, CTL, CTL ∗ and the like) Distinctive features of model checking: ◮ exaustive check of all the possible behaviours ◮ fully automatic process ◮ a counterexample is produced for a violated property Model Checking: the Interval Way Angelo Montanari

The Interval Way Model checking is usually point-based: ◮ properties express requirements over points (snapshots) of a computation (states of the state-transition system) ◮ they are specified by means of point-based temporal logics such as LTL, CTL, and CTL ∗ Interval properties express conditions on computation stretches instead of on computation states A lot of work has been done on interval temporal logic (ITL) satisfiability checking (a comprehnesive survey can be found at: https : // users . dimi . uniud . it /∼ angelo . montanari / Movep 2016- partI . pdf ). ITL model checking entered the research agenda only in the last years (Bozzelli, Lomuscio, Michaliszyn, Molinari, Montanari, Murano, Perelli, Peron, Sala) Model Checking: the Interval Way Angelo Montanari

Outline of the talk ◮ The model checking problem for interval temporal logics ◮ Complexity results: the general picture ◮ Interval vs. point temporal logic model checking: an expressiveness comparison (a short account) ◮ Interval temporal logic model checking with regular expressions (a short account) ◮ Ongoing work and future developments Model Checking: the Interval Way Angelo Montanari

The modeling of the system: Kripke structures v 0 ∅ r 1 r 3 r 2 ◮ ITL formulas are interpreted over (finite) state-transition v 1 v 2 v 3 p 1 p 2 p 3 systems, whose states are r 1 r 2 r 2 r 3 labeled with sets of u 1 u 2 u 3 proposition letters (Kripke structures) v 1 v 2 v 3 p 1 p 2 p 3 ◮ An interval is a trace (finite path) in a Kripke structure r 3 r 1 An example of Kripke structure Model Checking: the Interval Way Angelo Montanari

HS: the modal logic of Allen’s interval relations Allen’s interval relations : the 13 binary ordering relations between 2 intervals on a linear order. They give rise to corresponding unary modalities over frames where intervals are primitive entities: ◮ HS features a modality for any Allen ordering relation between pairs of intervals (except for equality) Allen rel. HS Definition Example y x � A � [ x , y ] R A [ v , z ] ⇐⇒ y � v meets v z � L � [ x , y ] R L [ v , z ] ⇐⇒ y < v before v z started-by � B � [ x , y ] R B [ v , z ] ⇐⇒ x � v ∧ z < y v z finished-by � E � [ x , y ] R E [ v , z ] ⇐⇒ y � z ∧ x < v v z � D � [ x , y ] R D [ v , z ] ⇐⇒ x < v ∧ z < y contains v z � O � [ x , y ] R O [ v , z ] ⇐⇒ x < v < y < z overlaps v z All modalities can be expressed by means of � A � , � B � , � E � , and their transposed modalities only (if point intervals are admitted, � B � , � E � , and their transposed modalities suffice) Model Checking: the Interval Way Angelo Montanari

HS semantics and model checking Truth of a formula ψ over a trace ρ of a Kripke structure K � ( AP , W , δ, µ, w 0 ) defined by induction on the complexity of ψ : ◮ K , ρ | � p iff p ∈ � w ∈ states ( ρ ) µ ( w ) , for any letter p ∈ AP (homogeneity assumption); ◮ clauses for negation, disjunction, and conjunction are standard; ◮ K , ρ | � � A � ψ iff there is a trace ρ ′ s.t. lst ( ρ ) � fst ( ρ ′ ) and K , ρ ′ | � ψ ; ◮ K , ρ | � � B � ψ iff there is a proper prefix ρ ′ of ρ s.t. K , ρ ′ | � ψ ; ◮ K , ρ | � � E � ψ iff there is a proper suffix ρ ′ of ρ s.t. K , ρ ′ | � ψ ; ◮ the semantic clauses for � A � , � B � , and � E � are similar Model Checking K | � ψ ⇐⇒ for all initial traces ρ of K , it holds that K , ρ | � ψ Possibly infinitely many traces! Model Checking: the Interval Way Angelo Montanari

Remark: HS state semantics (HS st ) ◮ According to the given semantics, HS modalities allow one to branch both in the past and in the future ϕ 1 ϕ 1 � B � ϕ 1 � A � ϕ 1 � A � ϕ 2 ϕ 2 ϕ 1 � E � ϕ 1 Model Checking: the Interval Way Angelo Montanari

The Kripke structure K Sched for a simple scheduler v 0 ∅ r 1 r 3 r 2 v 1 v 2 v 3 p 1 p 2 p 3 r 1 r 2 r 2 r 3 u 1 u 2 u 3 v 1 v 2 v 3 p 1 p 2 p 3 r 3 r 1 Model Checking: the Interval Way Angelo Montanari

A short account of K Sched K Sched models the behaviour of a scheduler serving 3 processes which are continuously requesting the use of a common resource (it can be easily generalised to an arbitrary number of processes) Initial state: v 0 (no process is served in that state) In v i and v i the i -th process is served ( p i holds in those states) The scheduler cannot serve the same process twice in two successive rounds: ◮ process i is served in state v i , then, after “some time”, a transition u i from v i to v i is taken; subsequently, process i cannot be served again immediately, as v i is not directly reachable from v i ◮ a transition r j , with j � i , from v i to v j is then taken and process j is served Model Checking: the Interval Way Angelo Montanari

Some meaningful properties to be checked over K Sched Validity of properties over all legal computation intervals can be forced by modality [ E ] (they are suffixes of at least one initial trace) Property 1: in any computation interval of length at least 4, at least 2 processes are witnessed (YES/no process can be executed twice in a row) � E � 3 ⊤ → ( χ ( p 1 , p 2 ) ∨ χ ( p 1 , p 3 ) ∨ χ ( p 2 , p 3 )) � K Sched | � [ E ] � , where χ ( p , q ) � � E � � A � p ∧ � E � � A � q Property 2: in any computation interval of length at least 11, process 3 is executed at least once (NO/if there are at least 3 processes, the scheduler can postpone the execution of one of them ad libitum—starvation) K Sched �| � [ E ](� E � 10 ⊤ → � E � � A � p 3 ) Property 3: in any computation interval of length at least 6, all processes are witnessed (NO/the scheduler should be forced to execute them in a strictly periodic manner, which is not the case) K Sched �| � [ E ](� E � 5 → (� E � � A � p 1 ∧ � E � � A � p 2 ∧ � E � � A � p 3 )) Model Checking: the Interval Way Angelo Montanari

Model checking: the key notion of BE k -descriptor ◮ The BE-nesting depth of an HS formula ψ ( Nest BE ( ψ ) ) is the maximum degree of nesting of modalities B and E in ψ ◮ Two traces ρ and ρ ′ of a Kripke structure K are k -equivalent if and only if K , ρ | � ψ iff K , ρ ′ | � ψ for all HS-formulas ψ with Nest BE ( ψ ) ≤ k Model Checking: the Interval Way Angelo Montanari

Model checking: the key notion of BE k -descriptor ◮ The BE-nesting depth of an HS formula ψ ( Nest BE ( ψ ) ) is the maximum degree of nesting of modalities B and E in ψ ◮ Two traces ρ and ρ ′ of a Kripke structure K are k -equivalent if and only if K , ρ | � ψ iff K , ρ ′ | � ψ for all HS-formulas ψ with Nest BE ( ψ ) ≤ k For any given k , we provide a suitable tree representation for a trace, called a BE k -descriptor The BE k -descriptor for a trace ρ � v 0 v 1 .. v m − 1 v m , denoted BE k ( ρ ) , has the following structure: ( v 0 , { v 1 , .., v m − 1 } , v m ) ← descriptor element BE k − 1 ( ρ P 1 ) BE k − 1 ( ρ P 2 ) . . . BE k − 1 ( ρ S 1 ) BE k − 1 ( ρ S 2 ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ↑ ρ P 1 , ρ P 2 , . . . prefixes of ρ ↑ ρ S 1 , ρ S 2 , . . . suffixes of ρ Remark: the descriptor does not feature sibling isomorphic subtrees Model Checking: the Interval Way Angelo Montanari

An example of a BE 2 -descriptor The BE 2 -descriptor for the trace ρ � v 0 v 1 v 4 0 v 1 - point intervals are excluded (for v 0 v 1 the sake of readability, only p q the subtrees for prefixes are displayed) ( v 0 , { v 0 , v 1 } , v 1 ) ( v 0 , { v 0 , v 1 } , v 0 ) ( v 0 , { v 0 , v 1 } , v 0 ) ( v 0 , { v 1 } , v 0 ) ( v 0 , {} , v 1 ) ( v 0 , { v 0 , v 1 } , v 0 ) ( v 0 , { v 1 } , v 0 ) ( v 0 , {} , v 1 ) ( v 0 , { v 1 } , v 0 ) ( v 0 , {} , v 1 ) ( v 0 , {} , v 1 ) Model Checking: the Interval Way Angelo Montanari

An example of a BE 2 -descriptor The BE 2 -descriptor for the trace ρ � v 0 v 1 v 4 0 v 1 - point intervals are excluded (for v 0 v 1 the sake of readability, only p q the subtrees for prefixes are displayed) ( v 0 , { v 0 , v 1 } , v 1 ) ( v 0 , { v 0 , v 1 } , v 0 ) ( v 0 , { v 0 , v 1 } , v 0 ) ( v 0 , { v 1 } , v 0 ) ( v 0 , {} , v 1 ) ( v 0 , { v 0 , v 1 } , v 0 ) ( v 0 , { v 1 } , v 0 ) ( v 0 , {} , v 1 ) ( v 0 , { v 1 } , v 0 ) ( v 0 , {} , v 1 ) ( v 0 , {} , v 1 ) Remark: the subtree to the left is associated with both prefixes v 0 v 1 v 3 0 and v 0 v 1 v 4 0 (no sibling isomorphic subtrees in the descriptor) Model Checking: the Interval Way Angelo Montanari