Model Checking: the Interval Way Alberto Molinari ( j.w. with L. - PowerPoint PPT Presentation

Model Checking: the Interval Way Alberto Molinari ( j.w. with L. Bozzelli, A. Montanari, A. Peron, P. Sala ) University of Udine Department of Mathematics, Computer Science, and Physics (DMIF) July 27, 2018

MODEL CHECKING Model checking : the desired properties of a system are checked against a model of the system the model is a (finite) state-transition graph system properties are specified by a temporal logic (e.g., LTL, CTL, CTL*, . . . ) Distinctive features of model checking: exhaustive verification of all the possible behaviours fully automatic process a counterexample is produced for a violated property 2

POINT-BASED VS. INTERVAL-BASED MC Model checking (MC) is usually point-based : properties express requirements over points (snapshots) of a computation (states of the state-transition system) they are specified by means of point-based temporal logics such as LTL, CTL, and CTL ∗ . Interval-based MC: Interval-based properties express conditions on computation stretches they are specified by means of interval temporal logics, which feature intervals as their basic ontological entities (e.g., HS) ability to express: actions with duration, accomplishments, aggregations applied to computational linguistics, artificial intelligence, temporal databases, formal verification 3

THE LOGIC HS HS features a modality for each of the 13 Allen’s ordering relations between pairs of intervals (except for equality) Allen rel. HS Definition Example x y � A � [ x , y ] R A [ v , z ] ⇐ ⇒ y = v meets v z � L � [ x , y ] R L [ v , z ] ⇐ ⇒ y < v before v z started-by � B � [ x , y ] R B [ v , z ] ⇐ ⇒ x = v ∧ z < y v z finished-by � E � [ x , y ] R E [ v , z ] ⇐ ⇒ y = z ∧ x < v v z contains � D � [ x , y ] R D [ v , z ] ⇐ ⇒ x < v ∧ z < y v z overlaps � O � [ x , y ] R O [ v , z ] ⇐ ⇒ x < v < y < z v z ψ ::= p | ¬ ψ | ψ ∨ ψ | � X � ψ | � X � ψ X ∈ { A , L , B , E , D , O } . All modalities can be expressed by means of � A � , � B � , � E � and their transposed modalities � A � , � B � , � E � only 4

KRIPKE STRUCTURES v 0 ∅ HS formulas are interpreted v 1 v 2 v 3 p 1 p 2 p 3 over (finite) state-transition systems whose states are labeled with sets of proposition letters ( Kripke structures ) v 1 v 2 v 3 p 1 p 2 p 3 An interval is a trace (finite path) in a Kripke structure 5

HS (STATE-BASED) SEMANTICS � B � ϕ 3 ϕ 3 Branching semantics of past/future operators 6

HS (STATE-BASED) SEMANTICS ϕ 1 � B � ϕ 1 ϕ 1 � E � ϕ 1 Branching semantics of past/future operators 7

HS (STATE-BASED) SEMANTICS AND MC Truth of a formula ψ over a trace ρ of a Kripke structure K = ( AP , W , δ, µ, w 0 ) : = p iff p ∈ � w ∈ states( ρ ) µ ( w ) , for any letter p ∈ AP K , ρ | ( homogeneity assumption ); 8

HS (STATE-BASED) SEMANTICS AND MC Truth of a formula ψ over a trace ρ of a Kripke structure K = ( AP , W , δ, µ, w 0 ) : = p iff p ∈ µ (fst( ρ ) , lst( ρ )) , for any letter p ∈ AP K , ρ | ( endpoint-based labeling ); 9

HS (STATE-BASED) SEMANTICS AND MC Truth of a formula ψ over a trace ρ of a Kripke structure K = ( AP , W , δ, µ, w 0 ) : = r iff µ ( ρ ) ∈ L ( r ) K , ρ | ( labeling based on regular expressions , subsuming the others); 10

HS (STATE-BASED) SEMANTICS AND MC Truth of a formula ψ over a trace ρ of a Kripke structure K = ( AP , W , δ, µ, w 0 ) : = r iff µ ( ρ ) ∈ L ( r ) K , ρ | ( labeling based on regular expressions , subsuming the others); negation, disjunction, and conjunction are standard; = � A � ψ . . . ; K , ρ | K , ρ | = � B � ψ . . . ; K , ρ | = � E � ψ . . . ; inverse operators � A � , � B � , � E � 11

HS (STATE-BASED) SEMANTICS AND MC Truth of a formula ψ over a trace ρ of a Kripke structure K = ( AP , W , δ, µ, w 0 ) : = r iff µ ( ρ ) ∈ L ( r ) K , ρ | ( labeling based on regular expressions , subsuming the others); negation, disjunction, and conjunction are standard; = � A � ψ . . . ; K , ρ | K , ρ | = � B � ψ . . . ; K , ρ | = � E � ψ . . . ; inverse operators � A � , � B � , � E � MC K | = ψ ⇐ ⇒ for all initial traces ρ of K , it holds that K , ρ | = ψ Possibly infinitely many traces! 12

HS (STATE-BASED) SEMANTICS AND MC Truth of a formula ψ over a trace ρ of a Kripke structure K = ( AP , W , δ, µ, w 0 ) : = r iff µ ( ρ ) ∈ L ( r ) K , ρ | ( labeling based on regular expressions , subsuming the others); negation, disjunction, and conjunction are standard; = � A � ψ . . . ; K , ρ | K , ρ | = � B � ψ . . . ; K , ρ | = � E � ψ . . . ; inverse operators � A � , � B � , � E � MC K | = ψ ⇐ ⇒ for all initial traces ρ of K , it holds that K , ρ | = ψ Possibly infinitely many traces! 13

THE KRIPKE STRUCTURE K SCHED FOR A SIMPLE SCHEDULER v 0 ∅ v 1 v 2 v 3 p 1 p 2 p 3 v 1 v 2 v 3 p 1 p 2 p 3 14

A SHORT ACCOUNT OF K SCHED K Sched models the behaviour of a scheduler serving 3 processes which are continuously requesting the use of a common resource ( easily generalizable to an arbitrary number of processes) Initial state : v 0 (no process is served in that state) In v i and v i the i -th process is served ( p i holds in those states) The scheduler cannot serve the same process twice in two successive rounds: process i is served in state v i , then, after “some time”, a transition u i from v i to v i is taken; subsequently, process i cannot be served again immediately, as v i is not directly reachable from v i a transition r j , with j � = i , from v i to v j is then taken and process j is served 15

SOME PROPERTIES TO BE CHECKED OVER K SCHED Validity of properties over all reachable computation intervals can be forced by modality [ E ] (they are suffixes of at least one initial trace). In any computation interval of length at least 4, at least 2 processes are witnessed ( YES : no process can be executed twice in a row) � E � 3 ⊤ → ( χ ( p 1 , p 2 ) ∨ χ ( p 1 , p 3 ) ∨ χ ( p 2 , p 3 )) � � K Sched | = [ E ] , where χ ( p , q )= � E � � A � p ∧ � E � � A � q . In any computation interval of length at least 11, process 3 is executed at least once ( NO : the scheduler can postpone the execution of a process ad libitum—starvation) = [ E ]( � E � 10 ⊤ → � E � � A � p 3 ) . K Sched �| In any computation interval of length at least 6, all processes are witnessed ( NO : the scheduler should be forced to execute them in a strictly periodic manner, which is not the case) = [ E ]( � E � 5 → ( � E � � A � p 1 ∧ � E � � A � p 2 ∧ � E � � A � p 3 )) . K Sched �| 16

MC: THE KEY NOTION OF BE K -DESCRIPTOR The BE-nesting depth of an HS formula ψ ( Nest BE ( ψ ) ) is the maximum degree of nesting of modalities B and E in ψ Two traces ρ and ρ ′ of a Kripke structure K are k -equivalent iff: = ψ iff K , ρ ′ | K , ρ | = ψ for all HS formulas ψ with Nest BE ( ψ ) ≤ k 17

MC: THE KEY NOTION OF BE K -DESCRIPTOR The BE-nesting depth of an HS formula ψ ( Nest BE ( ψ ) ) is the maximum degree of nesting of modalities B and E in ψ Two traces ρ and ρ ′ of a Kripke structure K are k -equivalent iff: = ψ iff K , ρ ′ | K , ρ | = ψ for all HS formulas ψ with Nest BE ( ψ ) ≤ k For any given k , we provide a suitable tree representation for a trace, called a BE k -descriptor 18

MC: THE KEY NOTION OF BE K -DESCRIPTOR The BE k -descriptor for a trace ρ = v 0 v 1 . . . v m − 1 v m , denoted BE k ( ρ ) , has the following structure: ← descriptor element ( v 0 , { v 1 , . . . , v m − 1 } , v m ) BE k − 1 ( ρ P 1 ) BE k − 1 ( ρ P 2 ) . . . BE k − 1 ( ρ S 1 ) BE k − 1 ( ρ S 2 ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ↑ ρ P 1 , ρ P 2 , . . . prefixes of ρ ↑ ρ S 1 , ρ S 2 , . . . suffixes of ρ Remark : the descriptor does not feature sibling isomorphic subtrees 19

AN EXAMPLE OF A BE 2 -DESCRIPTOR The BE 2 -descriptor for the trace ρ = v 0 v 1 v 4 0 v 1 (for the sake of readability, only v 0 v 1 the subtrees for prefixes are displayed p q and point intervals are excluded) ( v 0 , { v 0 , v 1 } , v 1 ) ( v 0 , { v 0 , v 1 } , v 0 ) ( v 0 , { v 0 , v 1 } , v 0 ) ( v 0 , { v 1 } , v 0 ) ( v 0 , ∅ , v 1 ) ( v 0 , { v 0 , v 1 } , v 0 ) ( v 0 , { v 1 } , v 0 ) ( v 0 , ∅ , v 1 ) ( v 0 , { v 1 } , v 0 ) ( v 0 , ∅ , v 1 ) ( v 0 , ∅ , v 1 ) 20

AN EXAMPLE OF A BE 2 -DESCRIPTOR The BE 2 -descriptor for the trace ρ = v 0 v 1 v 4 0 v 1 (for the sake of readability, only v 0 v 1 the subtrees for prefixes are displayed p q and point intervals are excluded) ( v 0 , { v 0 , v 1 } , v 1 ) ( v 0 , { v 0 , v 1 } , v 0 ) ( v 0 , { v 0 , v 1 } , v 0 ) ( v 0 , { v 1 } , v 0 ) ( v 0 , ∅ , v 1 ) ( v 0 , { v 0 , v 1 } , v 0 ) ( v 0 , { v 1 } , v 0 ) ( v 0 , ∅ , v 1 ) ( v 0 , { v 1 } , v 0 ) ( v 0 , ∅ , v 1 ) ( v 0 , ∅ , v 1 ) Remark : the subtree to the left is associated with both prefixes v 0 v 1 v 3 0 and v 0 v 1 v 4 0 (no sibling isomorphic subtrees in the descriptor) 21

DECIDABILITY OF MC FOR FULL HS FACT 1: For any Kripke structure K and any BE-nesting depth k ≥ 0, the number of different BE k -descriptors is finite (and thus at least one descriptor has to be associated with infinitely many traces) 22