Reducing CTL-Live Model Checking to First-Order Logic Validity - - PowerPoint PPT Presentation

Reducing CTL-Live Model Checking to First-Order Logic Validity Checking

Amirhossein Vakili and Nancy A. Day

Cheriton School of Computer Science

24 October 2014

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 1 / 10

Model Checking based on SAT/SMT Solving

Model:

..... ..... .....

X

Model Checker

Fixpoint? SMT solver

Safety Property:

Is X reachable? YES/NO

Focus on safety properties Iteratively calls the solver

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 2 / 10

Our Result: CTL-Live Model Checking as FOL Validity

Model:

..... ..... .....

X

Model Checker

Reduction SMT solver

Liveness Property:

Is X always reachable? YES/NO

Focus on liveness properties Solved by first-order logic deduction techniques (e.g., SMT solvers) No need for abstraction or invariant generation

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 3 / 10

CTL-Live

CTL-Live includes CTL connectives that are defined using the least fixpoint operator of mu-calculus. Temporal part ϕ ::= π | ϕ1 ∨ ϕ2 | ϕ1 ∧ ϕ2 ::= EXϕ | AXϕ | EFϕ | AFϕ ::= ϕ1EUϕ2 | ϕ1AUϕ2 Propositional part π ::= P | ¬π | π1 ∨ π2 where P is a labelling predicate.

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 4 / 10

CTL-Live

CTL-Live includes CTL connectives that are defined using the least fixpoint operator of mu-calculus. Temporal part ϕ ::= π | ϕ1 ∨ ϕ2 | ϕ1 ∧ ϕ2 ::= EXϕ | AXϕ | EFϕ | AFϕ ::= ϕ1EUϕ2 | ϕ1AUϕ2 Propositional part π ::= P | ¬π | π1 ∨ π2 where P is a labelling predicate. In CTL-Live AF P (EF¬P) AU (AXQ)

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 4 / 10

CTL-Live

CTL-Live includes CTL connectives that are defined using the least fixpoint operator of mu-calculus. Temporal part ϕ ::= π | ϕ1 ∨ ϕ2 | ϕ1 ∧ ϕ2 ::= EXϕ | AXϕ | EFϕ | AFϕ ::= ϕ1EUϕ2 | ϕ1AUϕ2 Propositional part π ::= P | ¬π | π1 ∨ π2 where P is a labelling predicate. In CTL-Live AF P (EF¬P) AU (AXQ) Not In CTL-Live ¬(AF P) AG P

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 4 / 10

Symbolic Kripke Structures in FOL

c = 0 initial c = 2 c = 3 c = 4 ... c = 5 ... c = 6 ... Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 5 / 10

Symbolic Kripke Structures in FOL

c = 0 initial c = 2 c = 3 c = 4 ... c = 5 ... c = 6 ...

S = {0, 1, 2, 3, ..} state space S0(c) ⇔ c = 0 initial states N(c, c′) ⇔ c′ = c + 2 ∨ c′ = c + 3 next-state relation

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 5 / 10

Symbolic Kripke Structures in FOL

c = 0 initial c = 2 c = 3 c = 4 ... c = 5 ... c = 6 ...

S = {0, 1, 2, 3, ..} state space S0(c) ⇔ c = 0 initial states N(c, c′) ⇔ c′ = c + 2 ∨ c′ = c + 3 next-state relation Notation symbolic(K) | =c AF c > 3 [AF c > 3] = {0, 1, 2, ...}

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 5 / 10

Intuition: States Satisfying AF P

According to encoding of AF in mu-calculus, [AF P] is the smallest set Y that satisfies: (1)∀s • P(s) ⇒ Y (s) (2)∀s •

• ∀s′ • N(s, s′) ⇒ Y (s′)
• ⇒ Y (s)

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 6 / 10

Intuition: States Satisfying AF P

According to encoding of AF in mu-calculus, [AF P] is the smallest set Y that satisfies: (1)∀s • P(s) ⇒ Y (s) (2)∀s •

• ∀s′ • N(s, s′) ⇒ Y (s′)
• ⇒ Y (s)

State Space

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 6 / 10

Intuition: States Satisfying AF P

According to encoding of AF in mu-calculus, [AF P] is the smallest set Y that satisfies: (1)∀s • P(s) ⇒ Y (s) (2)∀s •

• ∀s′ • N(s, s′) ⇒ Y (s′)
• ⇒ Y (s)

State Space Y1

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 6 / 10

Intuition: States Satisfying AF P

According to encoding of AF in mu-calculus, [AF P] is the smallest set Y that satisfies: (1)∀s • P(s) ⇒ Y (s) (2)∀s •

• ∀s′ • N(s, s′) ⇒ Y (s′)
• ⇒ Y (s)

State Space Y1 Y2

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 6 / 10

Intuition: States Satisfying AF P

According to encoding of AF in mu-calculus, [AF P] is the smallest set Y that satisfies: (1)∀s • P(s) ⇒ Y (s) (2)∀s •

• ∀s′ • N(s, s′) ⇒ Y (s′)
• ⇒ Y (s)

State Space Y1 Y2 Y3

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 6 / 10

Intuition: States Satisfying AF P

According to encoding of AF in mu-calculus, [AF P] is the smallest set Y that satisfies: (1)∀s • P(s) ⇒ Y (s) (2)∀s •

• ∀s′ • N(s, s′) ⇒ Y (s′)
• ⇒ Y (s)

State Space Y1 Y2 Y3 Y4

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 6 / 10

Intuition: States Satisfying AF P

According to encoding of AF in mu-calculus, [AF P] is the smallest set Y that satisfies: (1)∀s • P(s) ⇒ Y (s) (2)∀s •

• ∀s′ • N(s, s′) ⇒ Y (s′)
• ⇒ Y (s)

State Space Y1 Y2 Y3 Y4 [AF P]

[AF P] =

• Y ∈ Θ

Y where Θ = {Y s satisfying (1), (2)}

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 6 / 10

Intuition: Model Checking AF P

Model checking is about a subset relation, S0 ⊆ [AF P]: S0 ⊆

• Y ∈ Θ

Y

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 7 / 10

Intuition: Model Checking AF P

Model checking is about a subset relation, S0 ⊆ [AF P]: S0 ⊆

• Y ∈ Θ

Y iff ∀Y ∈ Θ • S0 ⊆ Y

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 7 / 10

Intuition: Model Checking AF P

Model checking is about a subset relation, S0 ⊆ [AF P]: S0 ⊆

• Y ∈ Θ

Y iff ∀Y ∈ Θ • S0 ⊆ Y Higher-order universal quantifier

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 7 / 10

Intuition: Model Checking AF P

Model checking is about a subset relation, S0 ⊆ [AF P]: S0 ⊆

• Y ∈ Θ

Y iff ∀Y ∈ Θ • S0 ⊆ Y Higher-order universal quantifier First-order logic formula

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 7 / 10

Intuition: Model Checking AF P

Model checking is about a subset relation, S0 ⊆ [AF P]: S0 ⊆

• Y ∈ Θ

Y iff ∀Y ∈ Θ • S0 ⊆ Y Higher-order universal quantifier First-order logic formula

Definition (FOL Validity)

Γ | = Φ iff every interpretation that satisfies Γ also satisfies Φ.

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 7 / 10

Intuition: Model Checking AF P

Model checking is about a subset relation, S0 ⊆ [AF P]: S0 ⊆

• Y ∈ Θ

Y iff ∀Y ∈ Θ • S0 ⊆ Y Higher-order universal quantifier First-order logic formula

Definition (FOL Validity)

Γ | = Φ iff every interpretation that satisfies Γ also satisfies Φ.

Description of model + ∀s • P(s) ⇒ Y (s) | = S0 ⊆ Y symbolic(K) ∀s •

• ∀s′ • N(s, s′) ⇒ Y (s′)
• ⇒ Y (s)

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 7 / 10

Our Result

Reduction Procedure: INPUT: symbolic(K) : symbolic representation of a Kripke structure. ϕ

: a CTL-Live formula.

OUTPUT: symbolic(K) CTLL2FOL(ϕ) | = S0 ⊆ ⌈ϕ⌉

Theorem (Reduction of CTL-Live Model Checking to FOL Validity)

symbolic(K) | =c ϕ iff symbolic(K)

• CTLL2FOL(ϕ) |

= S0 ⊆ ⌈ϕ⌉

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 8 / 10

Our Result

Reduction Procedure: INPUT: symbolic(K) : symbolic representation of a Kripke structure. ϕ

: a CTL-Live formula.

OUTPUT: symbolic(K) CTLL2FOL(ϕ) | = S0 ⊆ ⌈ϕ⌉

Example: ∀c • S0(c) ⇔ c = 0 ∀c, c′ • N(c, c′) ⇔ c′ = c + 2 ∨ c′ = c + 3 ∀c • c > 3 ⇒ Y (c) ∀c •

• ∀c′ • N(c, c′) ⇒ Y (c′)
• ⇒ Y (c)

| = S0 ⊆ Y

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 8 / 10

Our Result

Reduction Procedure: INPUT: symbolic(K) : symbolic representation of a Kripke structure. ϕ

: a CTL-Live formula.

OUTPUT: symbolic(K) CTLL2FOL(ϕ) | = S0 ⊆ ⌈ϕ⌉

Example: ∀c • S0(c) ⇔ c = 0 ∀c, c′ • N(c, c′) ⇔ c′ = c + 2 ∨ c′ = c + 3 ∀c • c > 3 ⇒ Y (c) ∀c •

• ∀c′ • N(c, c′) ⇒ Y (c′)
• ⇒ Y (c)

| = S0 ⊆ Y

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 8 / 10

Our Result

Reduction Procedure: INPUT: symbolic(K) : symbolic representation of a Kripke structure. ϕ

: a CTL-Live formula.

OUTPUT: symbolic(K) CTLL2FOL(ϕ) | = S0 ⊆ ⌈ϕ⌉

Example: ∀c • S0(c) ⇔ c = 0 ∀c, c′ • N(c, c′) ⇔ c′ = c + 2 ∨ c′ = c + 3 ∀c • c > 3 ⇒ Y (c) ∀c •

• ∀c′ • N(c, c′) ⇒ Y (c′)
• ⇒ Y (c)

| = S0 ⊆ Y

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 8 / 10

Current Progress: Infinite State Model Checking

Based on this result, we used Z3 and CVC4 to model check CTL-Live properties of 4 infinite systems. Case studies were from different domains. SMT solvers are efficient in model checking CTL-Live properties.

Vakili and Day, “Verifying CTL-live Properties of Infinite State Models using SMT Solvers,” To appear in the proceedings of FSE’14.

Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 9 / 10

Conclusion

Presented CTL-Live, a fragment of CTL such that its model checking is reducible to FOL validity.

◮ No need for abstraction or invariant generation ◮ Use state-of-the-art FOL reasoners for model checking ◮ Only FOL reasoning is required for verification Vakili and Day (U. of Waterloo) CTL-Live Model Checking in FOL 24 October 2014 10 / 10