Checking Extended CTL Properties Using Guarded Quotient Structure - - PowerPoint PPT Presentation

Checking Extended CTL Properties Using Guarded Quotient Structure

Xiaodong Wang advised by: Professor Sistla

Outline

• Part I: Symmetry based method
• Part II: CCTL logic
• Part III: Input language
• Part IV: Model checking algorithm

Part I: Symmetry Based Method

• Part I: Symmetry based method

– Overview – QS Method – AQS Method – GQS Method

• Part II: CCTL
• Part II: Input language
• Part IV: Model checking algorithm
• Conclusion

Model Checking Overivew

model model building model checking system description correctness specification yes, system satisfy the correctness spec no, counter-example(s):

State Explosion Problem

• State explosion problem

– Exponential number of

states in the state space

– Even infinite state space

• Generally undecidable
• Some model checking

methods are optimized for specific types of systems

Symmetric System

client 2 client 1 client server 1 server Client Server

To model checking such systems, we employ symmetry in the system

each module consists

• f identical processes

Symmetry Based Methods Overview

Quotient Structure model checking system description property (Temporal Logic formula) Yes, system satisfy the property No,

• utput path(s):

symmetries equivalence relation model building

• n-the-fly

Example: Mutual Exclusion Protocol with 2 processes

N1 N2 N1 T2 T1 N2 N1 C2 T1 T2 C1 N2 T1 C2 C1 T2

Non-critical (N) Critical (C) Trying (T) Process 1 Non-critical (N) Critical (C) Trying (T) Process 2 s y n c h r

• n

i z e d state graph

Process Symmetry

N1 N2 N1 T2 T1 N2 N1 C2 T1 T2 C1 N2 T1 C2 C1 T2 N2 N1 N2 T1 T2 N1 N2 C1 T2 T1 C2 N1 T2 C1 C2 T1 N2 N1 N2 T1 T2 N1 N2 C1 T2 T1 C2 N1 T2 C1 C2 T1

flip: 1 2

Symmetry Group

• Process symmetries of the system form a

group:

• Process symmetries of some systems may

be obtained from system description directly {flip, id}

s1 s2 c3 c2 c1 s1 s2 c3 c2 c1 Server client

permutations:

Equivalence Relation over States

N1 N2 N1 T2 T1 N2 N1 C2 T1 T2 C1 N2 T1 C2 C1 T2

flip( ) =

T1 N2 T2 N1

Quotient Structure

N1 N2 N1 T2 T1 T2 C1 N2 C1 T2

Quotient Structure consisting of representative states

QS Method Overview [1]

Quotient Structure (QS) model checking: explore the product automata symmetric system description yes, system satisfies the LTL formula no,

• utput a trace:

symmetry group equivalence relation model building LTL formula automata symmetric property

Symmetry Group for QS Method

• System symmetries
• formula symmetries for
• Symmetry group

flip id system symmetries formula symmetries symmetry group

{flip, id} G (!(C1 ^ C2)) {flip, id} larger symmetry group for symmetric system and symmetric property

Quotient Structure

N1 N2 T1 N2 T1 T2 C1 N2 C1 T2

symmetric system: mutual exclusion protocol symmetric property: G( !(C1 ^ C2) )

AQS Method Overview [2,3,4]

Annotated Quotient Structure (AQS) symmetric system Yes, system satisfies the formula No,

• utput a trace:

system symmetry equivalence relation model building LTL automata symmetric/ asymmetric property model checking: partially unwind AQS (indirectly by permuting process ids in formula)

• n-the-fly

Symmetry Group for AQS Method

• System symmetries
• Formula symmetry for
• Symmetry group

system symmetries flip id symmetry group formula symmetry

EF (C2) {flip, id} {id}

Annotated Quotient Structure

symmetric system : mutual exclusion protocol

N1 N2 T1 N2 T1 T2 C1 N2 C1 T2

flip id id flip flip id id id id

does not depend on the formula

Directly Unwind AQS

N1 N2 N2 T1 T2 T1 T2 C1 N2 T1 T2 T1

flip id flip flip id

T2 C1

id

N1 N2 N1 T2 T1 T2 T2 C1 T1 N2 T1 T2 T1 C2

path in AQS actual path

Indirectly Unwind AQS

C2 C1 C1 C2 C1 C1 C1

atomic proposition C2 (flip*id*flip)([T2,C1]) satisfies C2 = [T2,C1] satisfies C(flip*id*flip)-1(2)

N1 N2 N2 T1 T2 T1 T2 C1 N2 T1 T2 T1

flip id flip flip id

T2 C1

id

path in AQS

GQS Method Overview [5]

Guarded Quotient Structure (GQS) symmetric/ asymmetric system Yes, system satisfy the property No,

• utput a trace:

equivalence relation model building LTL automata symmetric/ asymmetric property model checking: partially unwind GQS (check guards, permute process ids in formula and guards) symmetric system add edges symmetries AQS add guards

Partial Symmetric / Asymmetric Systems

Non-critical (N) Critical (C) Trying (T) Process 1 Non-critical (N) Critical (C) Trying (T) Process 2

when process 1 and process 2 both in “T”, process 1 has higher priority to enter “C” a partial symmetric system

from Partially Symmetric to Symmetric

N1 N2 N1 T2 T1 N2 N1 C2 T1 T2 C1 N2 T1 C2 C1 T2 N1 N2 N1 T2 T1 N2 N1 C2 T1 T2 C1 N2 T1 C2 C1 T2

add edges to make it more symmetric

partially symmetric system symmetric system

This may be done directly with system description, i.e. by ignoring the priorities

Guarded Quotient Structure

N1 N2 T1 N2 T1 T2 C1 N2 C1 T2

flip id id flip flip id id id id

N1 N2 T1 N2 T1 T2 C1 N2 C1 T2

flip id id flip flip, T1^C1

'

id,T1^C1

'

id id id

AQS add edge conditions GQS

Infeasible Path

N1 N2 N2 T1 T2 T1 T2 C1 N2 T1 T2 T1

flip id flip,T1^C1

'

flip id

T2 C1

id,T1^C1

'

N1 N2 N1 T2 T1 T2 T2 C1 T1 N2 T1 T2 T1 C2

path in GQS corresponding actual path is infeasible

Summary of the Three Symmetric Based Methods

• QS method

– Primary safety properties – Symmetric systems and symmetric properties

• AQS method

– Both safety and liveness properties – Symmetric systems

• GQS method

– Both safety and liveness properties – Partial symmetric and asymmetric systems

Question ?

Part II : CCTL Logic

• Part I: Symmetry based method
• Part II: CCTL

– CCTL syntax – CCTL semantics

• Part II: Input language
• Part IV: Model checking algorithm
• Conclusion

CCTL Syntax

<formula> :: <atomic formula> | <count-term> <comp-operator> <count-term> <formula> ^ <formula> | ! <formula> | EX(<formula>) | EfairX(<formula>) | EG(<formula>) | EfairG(<formula>) | E(<formula> U <formula>) | Efair(<formula> U <formula>) <count-term> :: COUNT(i,M,<formula>) | <constant>

CCTL Syntax Cont.

• Fairness path quantifier: Efair

weak/strong process fairness

• COUNT term: COUNT(i, M, h(i))

– i: free process variable in h – M: set of process ids i ranges over – h(i): CCTL formula – Example: COUNT(i, client, Ci)

N1 N2 N1 T2 T1 T2 T2 C1 N1 T2 T1 T2 T2 C1

. . . . . . an “unfair” path

COUNT Term's Semantics

N2 C1 S: COUNT(i, client, Ci)S = 1 S

N1 N2 N1 T2 T1 N2 N1 C2 T1 T2 C1 N2 T1 C2 C1 T2

COUNT(i, client, Ti ^ EX(Ci))S = 2

Why Introduce the COUNT Term

COUNT(i, {1,2,3,4}, g(i)) = COUNT(i, {1,2,3,4}, h(i) ) f = (g(1)^!g(2)^!g(3)^!g(4) ^ h(1)^!h(2)^!h(3)^!h(4)) v (g(1)^!g(2)^!g(3)^!g(4) ^ !h(1)^h(2)^!h(3)^!h(4)) v ... ....

contain 70 sub-formulas

• Uniformly express properties such as
• Efficient evaluate COUNT term

Express Other Temporal Opertor and Process Quantifier

• Other temporal operators:
• Process quantifiers:

AX(f) = ! EX (! f) AG(f) = ! EF ( ! f) A(f1 U f2) = ! (EG (! f2) v E(! f2 U ! f1 ^ ! f2) Universal quantifier: COUNT(i, M, h(i)) = COUNT(i, M, True) Existential quantifier: COUNT(i, M, h(i)) > 0

Question ?

Part III: Input Language

• Part I: Symmetry based method
• Part II: CCTL
• Part III: Input language
• Part IV: Model checking algorithm
• Conclusion

Structure of Input

CCTL formula evaluation for the CCTL formula initial values transition templates ... transition templates ... module 1 module2 Concurrent program processes are instantiated from modules by instantiating all the transition templates in that module

Concurrent Program

• Program variable: reply[i,j]
• Process variable: i, j
• Transition template:

cl of controller {... lc[cl] == 0 & request[cl,k] == 1 & ALL(i: reply [i,k] == 0) reply[ck,k] = 1, buzy[cl] == 1, lc[cl] == 1 (Priority: 0-1;2-5) ...}

• Priority specification (Priority: 0-1;2-5)
• Allow multiple priority specifications in one

module

CCTL Formula and Evaluation

• CCTL formula using only free process

variables: AG(lk[i] != 2 V lk[j] != 2)

• Evaluation of the free process variables in

the formula: i = 1, j = 2

Question ?

Part IV: Model Checking Algorithm

• Part I: Symmetry based method
• Part II: CCTL
• Part II: Input language
• Part IV: Model checking algorithm

– Overview – Employing GQS – Evaluate COUNT term – Model checking procedures – Implementation and Experiments

• Conclusion

Overview

• Assume GQS has been fully constructed
• Model Checking the CCTL formula

employing GQS

– Indirectly unwind GQS – Quantifier elimination – Work inductively over the structure of the CCTL

formula

Why the Algorithm is Efficient

• Quantifier elimination
• nly check the formula with representitives of

each equivalence classes

• Lazy evaluation: f1 ^ f2
• Formula decomposition
• Sub-formula tracking

Indirectly Unwind GQS

N1 N2 N2 T1 T2 T1 T2 C1 N2 T1 T2 T1

flip1 id2 flip3,T1^C1

'

flip4 id5

T2 C1

id6,T1^C1

'

N1 N2 N1 T2 T1 T2 T2 C1 T1 N2 T1 T2 T1 C2

path in GQS actual path i = j = T1^C1

'

1 2 2 1 2 1 1 2 2 1 2 1 T1^C1

'

T2^C2

'

T2^C2

'

T1^C1

'

T2^C2

'

T2^C2

'

inverse of accumulated permutation id Flip1

• 1

id2

• 1*Flip1
• 1

flip3

• 1*id2
• 1*Flip1
• 1

flip4

• 1*flip3
• 1*id2
• 1*Flip1
• 1

id5

• 1*flip4
• 1*flip3
• 1*id2
• 1*Flip1
• 1

permuted evaluation permuted edge condition

Naïve Method to Evaluate COUNT Term

To evaluate COUNT(i, {1,2,3,4,5,6}, h(i,j))

• n S, f (j =3)

h(1,3) h(6,3) h(5,3) h(4,3) h(3,3) h(2,3)

COUNT(i, {1,2,3,4,5,6}, h(i,j)) = 3 may be quite inefficient for a large number of process ids

Evaluate COUNT Term Efficiently

1, 2 4, 5, 6 3 1, 2, 3, 4, 5, 6 1 4 3 h(1,3) h(3,3) h(4,3) set of process ids i ranges over devide the set of process ids into equivalence class choose representitive check with representitive

COUNT(i, {1,2,3,4,5,6}, h(i,j)) = 3

S1 satisfy EG(C1 ) S1 satisfy EG(C2 )

State Symmetry

• State symmetry of a state
• Property of state symmetry:

T1 T2

State symmetry = {flip, id}

T2 C1

State symmetry = {id} S1 S2

formulas permuated from the same formula with state symmetries of a state have the same truth value on the state

flip(s1 ) = s1 flip flip(S1 ) satisfy flip(EG(C1 ))

Utilizing State Symmetry

1, 2, 3 4, 5, 6

S's state symmetry:

1 2: h(1,3) => h(2,3) h(2,3) => h(1,3) 4 5: h(4,3) => h(5,3) h(5,3) => h(4,3) 4 6: h(4,3) => h(6,3) h(6,3) => h(4,3) 1 3: h(1,3) => h(3,1) h(3,3) => h(1,1) 1, 2 3 1, 2, 3 4, 5, 6 4, 5, 6

classes: COUNT(i, {1,2,3,4,5,6}, h(i,j)) on S, f (j =3)

Equivalence Relation Over M

Let S be a state in GQS, Aut(S) be the set of state symmetries of S, f be the evaluation. i ~ j if and only if there exists p in Aut(S) such that for each v in dom(f), p(f(v)) = v and p(i) = j

Model Checking With Fairness

• S satisfies exist_fair_path means there exists a

fair path from S

• Transform formula with fairness path quantifier:

EfairX(f) = EX(f ^ exist_fair_path) Efair(f1 U f2) = E(f1 U (f2 ^ exist_fair_path) EfairG(f): can not be transformed with exist_fair_path

Major Data Structures

• label: <formula,evaluation,edge_vector>

– labels are associated with states in GQS – <h,f,k> in S denotes that h is satisfied on S with

evaluation f and edge vector k

• mark: <formula, evaluation,edge_vector>

– marks are associated with states in GQS – <h,f,k> in S denotes that we have checked h

against S with evaluation f and edge vector k

Check Procedure

• Invoked on the initial state S0
• Controlling procedure: invoke other

procedures: check procedure labels states with formula when its truth value is determined in the states

EfairGCheck (h,f,k,s) EGCheck (h,f,k,s) EUCheck (h,f,k,s) check(h,f,k,s) efpCheck (h,f,k,s) h=E(f1Uf2) h=EG(f) h=EfairG(f) h=exit_fair_path

Other Procedures

• EUCheck: E(f1Uf2)
• EGCheck: EG(f)
• EfairGCheck: EfairG(f)
• efpCheck: exist_fair_path
• Associate a mark with state S when these

procedures are invoked with the parameters on the state for the first time

Implementation: Minimize Memory Consumption

• May consume a lot of memory
• Permuations: up to n! (n: # of processes):
• nly store inverse permuations
• labels and marks: up to N * Cl

<h, f, k> <h, p> (f0,k0) f0: evaluation in input, k0:processes ids in edge condition

• f GQS

Implementation: Search of Lables and Marks

<h, p1> <h, p2> <h, p3> hash(p(f0),p(k0)) k1 k3 k2

<h, p>

k Hash Table

compute the hash key hash(p(f0),p(k0)) efficiently

Experiments

• Cache Coherence Protocol

mutual exclusive property: no two clients can hold the cache line exclusively at the same time

• Resource Controller Protocol

mutual exclusive property: no two clients can hold the resource at the same time

Experimental Results

Protocol Client# quant_elim Mark# Time(s) 10 Yes 208 0.02 10 No 3780 1.6 20 Yes 448 0.12 20 No * * 4 Yes 96712 5.7 4 No 115344 6.9

Resource Controller Protocol Cache Coherence Protocol

“*” indicate stack overflow

Question ?

Conclusion

• The model checking algorithm is useful in

checking complex properties

• Experiments show speed-up
• Need to combine with other methods

Selected Reference

• [1] Emerson, E. A., Sistla, A. P., Symmetry and Model Checking
• [2] Emerson, E. A., Sistla, A. P., Utilizing Symmetry when Model

Checking under Fairness Assumptions: An Automata-theoretic Approach.

• [3] Gyuris, V., Sistla, A. P., On-the-Fly Model Checking under

Fairness that Exploits Symmetry

• [4] Sistla A. P., Gyuris V., Emerson E. A., SMC: A Symmetry

based Model Checker for Verification of Safety and Liveness Properties

• [5] Sistla A. P., Godefroid P., Symmetry and Reduced Symmetry

in Model Checking

Thank you!