Slides - UT Computer Science

Download PDF
Comment
Report 3 Downloads 339 Views
Reducing CTL-Live Model Checking to First-Order Logic Validity Checking Amirhossein Vakili and Nancy A. Day Cheriton School of Computer Science

24 October 2014

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

1 / 10

Model Checking based on SAT/SMT Solving Safety Property: Is X reachable?

Model:

X

Model Checker

.....

Fixpoint?

SMT solver

YES/NO

..... .....

Focus on safety properties Iteratively calls the solver

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

2 / 10

Our Result: CTL-Live Model Checking as FOL Validity Liveness Property: Is X always reachable?

Model:

X

Model Checker

.....

Reduction

SMT solver

YES/NO

..... .....

Focus on liveness properties Solved by first-order logic deduction techniques (e.g., SMT solvers) No need for abstraction or invariant generation

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

3 / 10

CTL-Live CTL-Live includes CTL connectives that are defined using the least fixpoint operator of mu-calculus. Temporal part ϕ ::= π | ϕ1 ∨ ϕ2 | ϕ1 ∧ ϕ2 ::= EXϕ | AXϕ | EFϕ | AFϕ ::= ϕ1 EUϕ2 | ϕ1 AUϕ2 Propositional part π ::= P | ¬π | π1 ∨ π2 where P is a labelling predicate.

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

4 / 10

CTL-Live CTL-Live includes CTL connectives that are defined using the least fixpoint operator of mu-calculus. Temporal part ϕ ::= π | ϕ1 ∨ ϕ2 | ϕ1 ∧ ϕ2 ::= EXϕ | AXϕ | EFϕ | AFϕ ::= ϕ1 EUϕ2 | ϕ1 AUϕ2 Propositional part π ::= P | ¬π | π1 ∨ π2 where P is a labelling predicate.

In CTL-Live AF P (EF¬P) AU (AXQ) Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

4 / 10

CTL-Live CTL-Live includes CTL connectives that are defined using the least fixpoint operator of mu-calculus. Temporal part ϕ ::= π | ϕ1 ∨ ϕ2 | ϕ1 ∧ ϕ2 ::= EXϕ | AXϕ | EFϕ | AFϕ ::= ϕ1 EUϕ2 | ϕ1 AUϕ2 Propositional part π ::= P | ¬π | π1 ∨ π2 where P is a labelling predicate.

In CTL-Live AF P

Not In CTL-Live ¬(AF P)

(EF¬P) AU (AXQ)

AG P

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

4 / 10

Symbolic Kripke Structures in FOL c=4

...

c=5

...

c=2

initial

c=0

c=3

Vakili and Day (U. of Waterloo)

c=6

CTL-Live Model Checking in FOL

...

24 October 2014

5 / 10

Symbolic Kripke Structures in FOL c=4

...

c=5

...

c=2

initial

c=0

c=3

c=6

S = {0, 1, 2, 3, ..} S0 (c) ⇔ c = 0 N(c, c 0 ) ⇔ c 0 = c + 2 ∨ c 0 = c + 3

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

...

state space initial states next-state relation

24 October 2014

5 / 10

Symbolic Kripke Structures in FOL c=4

...

c=5

...

c=2

initial

c=0

c=3

c=6

S = {0, 1, 2, 3, ..} S0 (c) ⇔ c = 0 N(c, c 0 ) ⇔ c 0 = c + 2 ∨ c 0 = c + 3

...

state space initial states next-state relation

Notation symbolic(K ) |=c AF c > 3 [AF c > 3] = {0, 1, 2, ...} Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

5 / 10

Intuition: States Satisfying AF P According to encoding of AF in mu-calculus, [AF P] is the smallest set Y that satisfies: (1)∀s • P(s) ⇒ Y (s)  (2)∀s • ∀s 0 • N(s, s 0 ) ⇒ Y (s 0 ) ⇒ Y (s)

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

6 / 10

Intuition: States Satisfying AF P According to encoding of AF in mu-calculus, [AF P] is the smallest set Y that satisfies: (1)∀s • P(s) ⇒ Y (s)  (2)∀s • ∀s 0 • N(s, s 0 ) ⇒ Y (s 0 ) ⇒ Y (s) State Space

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

6 / 10

Intuition: States Satisfying AF P According to encoding of AF in mu-calculus, [AF P] is the smallest set Y that satisfies: (1)∀s • P(s) ⇒ Y (s)  (2)∀s • ∀s 0 • N(s, s 0 ) ⇒ Y (s 0 ) ⇒ Y (s) State Space

Y1

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

6 / 10

Intuition: States Satisfying AF P According to encoding of AF in mu-calculus, [AF P] is the smallest set Y that satisfies: (1)∀s • P(s) ⇒ Y (s)  (2)∀s • ∀s 0 • N(s, s 0 ) ⇒ Y (s 0 ) ⇒ Y (s) State Space

Y1

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

Y2

24 October 2014

6 / 10

Intuition: States Satisfying AF P According to encoding of AF in mu-calculus, [AF P] is the smallest set Y that satisfies: (1)∀s • P(s) ⇒ Y (s)  (2)∀s • ∀s 0 • N(s, s 0 ) ⇒ Y (s 0 ) ⇒ Y (s) State Space Y3 Y1

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

Y2

24 October 2014

6 / 10

Intuition: States Satisfying AF P According to encoding of AF in mu-calculus, [AF P] is the smallest set Y that satisfies: (1)∀s • P(s) ⇒ Y (s)  (2)∀s • ∀s 0 • N(s, s 0 ) ⇒ Y (s 0 ) ⇒ Y (s) State Space Y3 Y1

Y2

Y4

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

6 / 10

Intuition: States Satisfying AF P According to encoding of AF in mu-calculus, [AF P] is the smallest set Y that satisfies: (1)∀s • P(s) ⇒ Y (s)  (2)∀s • ∀s 0 • N(s, s 0 ) ⇒ Y (s 0 ) ⇒ Y (s) State Space Y3 Y1

Y2

[AF P] Y4

[AF P] =

\

Y

where Θ = {Y s satisfying (1), (2)}

Y ∈ Θ Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

6 / 10

Intuition: Model Checking AF P Model checking is about a subset relation, S0 ⊆ [AF P]: \ S0 ⊆ Y Y ∈ Θ

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

7 / 10

Intuition: Model Checking AF P Model checking is about a subset relation, S0 ⊆ [AF P]: \ S0 ⊆ Y iff ∀Y ∈ Θ • S0 ⊆ Y Y ∈ Θ

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

7 / 10

Intuition: Model Checking AF P Model checking is about a subset relation, S0 ⊆ [AF P]: \ S0 ⊆ Y iff ∀Y ∈ Θ • S0 ⊆ Y Y ∈ Θ

Higher-order universal quantifier

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

7 / 10

Intuition: Model Checking AF P Model checking is about a subset relation, S0 ⊆ [AF P]: \ S0 ⊆ Y iff ∀Y ∈ Θ • S0 ⊆ Y Y ∈ Θ

Higher-order universal quantifier First-order logic formula

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

7 / 10

Intuition: Model Checking AF P Model checking is about a subset relation, S0 ⊆ [AF P]: \ S0 ⊆ Y iff ∀Y ∈ Θ • S0 ⊆ Y Y ∈ Θ

Higher-order universal quantifier First-order logic formula

Definition (FOL Validity) Γ |= Φ iff every interpretation that satisfies Γ also satisfies Φ.

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

7 / 10

Intuition: Model Checking AF P Model checking is about a subset relation, S0 ⊆ [AF P]: \ S0 ⊆ Y iff ∀Y ∈ Θ • S0 ⊆ Y Y ∈ Θ

Higher-order universal quantifier First-order logic formula

Definition (FOL Validity) Γ |= Φ iff every interpretation that satisfies Γ also satisfies Φ.

Description of model symbolic(K ) Vakili and Day (U. of Waterloo)

+

∀s • P(s) ⇒ Y (s)  ∀s • ∀s 0 • N(s, s 0 ) ⇒ Y (s 0 ) ⇒ Y (s) CTL-Live Model Checking in FOL

|= S0 ⊆ Y

24 October 2014

7 / 10

Our Result Reduction Procedure: INPUT: symbolic(K ) : symbolic representation of a Kripke structure. ϕ : a CTL-Live formula. OUTPUT: S symbolic(K ) CTLL2FOL(ϕ) |= S0 ⊆ dϕe

Theorem (Reduction of CTL-Live Model Checking to FOL Validity) symbolic(K ) |=c ϕ iff symbolic(K )

Vakili and Day (U. of Waterloo)

[

CTLL2FOL(ϕ) |= S0 ⊆ dϕe

CTL-Live Model Checking in FOL

24 October 2014

8 / 10

Our Result Reduction Procedure: INPUT: symbolic(K ) : symbolic representation of a Kripke structure. ϕ : a CTL-Live formula. OUTPUT: S symbolic(K ) CTLL2FOL(ϕ) |= S0 ⊆ dϕe

Example: ∀c • S0 (c) ⇔ c = 0 ∀c, c 0 • N(c, c 0 ) ⇔ c 0 = c + 2 ∨ c 0 = c + 3 ∀c • c > 3 ⇒ Y (c) ∀c • ∀c 0 • N(c, c 0 ) ⇒ Y (c 0 ) ⇒ Y (c) |= S0 ⊆ Y

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

8 / 10

Our Result Reduction Procedure: INPUT: symbolic(K ) : symbolic representation of a Kripke structure. ϕ : a CTL-Live formula. OUTPUT: S symbolic(K ) CTLL2FOL(ϕ) |= S0 ⊆ dϕe

Example: ∀c • S0 (c) ⇔ c = 0 ∀c, c 0 • N(c, c 0 ) ⇔ c 0 = c + 2 ∨ c 0 = c + 3 ∀c • c > 3 ⇒ Y (c) ∀c • ∀c 0 • N(c, c 0 ) ⇒ Y (c 0 ) ⇒ Y (c) |= S0 ⊆ Y

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

8 / 10

Our Result Reduction Procedure: INPUT: symbolic(K ) : symbolic representation of a Kripke structure. ϕ : a CTL-Live formula. OUTPUT: S symbolic(K ) CTLL2FOL(ϕ) |= S0 ⊆ dϕe

Example: ∀c • S0 (c) ⇔ c = 0 ∀c, c 0 • N(c, c 0 ) ⇔ c 0 = c + 2 ∨ c 0 = c + 3 ∀c • c > 3 ⇒ Y (c) ∀c • ∀c 0 • N(c, c 0 ) ⇒ Y (c 0 ) ⇒ Y (c) |= S0 ⊆ Y

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

8 / 10

Current Progress: Infinite State Model Checking

Based on this result, we used Z3 and CVC4 to model check CTL-Live properties of 4 infinite systems. Case studies were from different domains. SMT solvers are efficient in model checking CTL-Live properties.

Vakili and Day, “Verifying CTL-live Properties of Infinite State Models using SMT Solvers,” To appear in the proceedings of FSE’14.

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

9 / 10

Conclusion

Presented CTL-Live, a fragment of CTL such that its model checking is reducible to FOL validity. I I I

No need for abstraction or invariant generation Use state-of-the-art FOL reasoners for model checking Only FOL reasoning is required for verification

Vakili and Day (U. of Waterloo)

CTL-Live Model Checking in FOL

24 October 2014

10 / 10

Recommend Documents