Transcript Automata Generation for On-the-fly Automatic Verification

On-the-fly Model Checking from
Interval Logic Specifications
Manuel I. Capel & Miguel J. Hornos
Dept. Lenguajes y Sistemas Informáticos
Universidad de Granada
(Spain)
E-mail: {mcapel, mhornos}@ugr.es
Outline of the talk
1. Motivation
2. Context
3. Objectives
4. Specification formalism
5. Algorithm
6. Measurements & conclusions
1. MOTIVATION
Motivation
+
Specification and verification of concurrent systems is difficult
+
+
+
Temporal Logics are appropiate formalisms to specify
properties of linear behaviour
+
+
+
Infinite executions
Large number of different possible executions
Difficult to use and understand
Textual representation
Interval logics overcome these difficulties
+
+
+
Intervals facilitate the definition of limited temporal contexts
Graphical representation
Specifications more understandable and intuitive
2. CONTEXT
Problem context
+
Finite representation of system’s properties
expressed as interval logic formulas
+
+
+
Tableau algorithm that automatically generates
the equivalent automaton
Concurrent System P
Specification 


L (A )
No tableau algorithms for model checking onthe-fly (until now…)
L (A )
L (P)
Automatic verification of reactive systems 
Model checking
1. Build the property automaton A
2. Calculate the system automaton P =Pi
3. Find the product automaton P  A
4. Check non-emptiness of L (P  A )

L (A )
L (A )
L (P)
Counterexamples
3. OBJECTIVES
Objectives
+
Classic approach to build a Model Checking tool
+
+
+
Leads to the state explosion problem
Approach to be followed: model checking on-the-fly
+
Nodes are generated only when are needed by the algorithm
+
State generation is combined with the search of a counterexample
+
In many cases, it is not necessary to construct the whole state space
Main objective: Integration of the tableau method with the onthe-fly approach for an interval logic
4. SPECIFICATION FORMALISM
Specification formalism
GIL (Graphical Interval Logic) is the specification formalism
+
+
Propositional Linear-time Temporal Logic
+
Interval as the key construct
Types of properties
+
+
+
+
Initial property
[
)
Invariant property
[
)
Eventuality property
f
[
f
f
)
4. SPECIFICATION FORMALISM
Graphical syntax of GIL
+
Establishment of specific contexts: intervals
.
a
b
c
d
+
Use of standard operators and nested intervals
.
a1a
c1

c2
b1b2
.
d1
d2

d3
d4
4. SPECIFICATION FORMALISM
Comparison with LTL
+
Example of a system specification in GIL
a
.
a
a
a
bc

d
+
Specification of the same behaviour, but in LTL
a  (a U (a U (((bc) U a) P a)  d U a))
U (weak until), U (strong until) and P (precedes) defined as f P g=(f U g)
+
FIL (Future Interval Logic) is the formal basis of GIL
a [a,a|a,a,a) ((bc)  d)
4. SPECIFICATION FORMALISM
Syntax and Semantics of FIL
+
Restricted Syntax
f
::== p | f | f1  f2 | I f
I ::== [q1|q2) | [-|q2) | [q1|)
q ::== f | f,q
+
Default-to-true Semantics
+
Non-negated interval formula
+
Either properly satisfied
+
[a|b)c
or vacuously satisfied (the null context ocurrs)
+ A search fails
a
b
c
[a|)F = a
[b|)F =  b
+ The state located by q1 does not precede the state located by q2
+
Negated interval formula
+ Only can be properly satisfied
[a|b)c
a
c
b
5. ALGORITHM
Phase 1: Graph construction
+
Creation of the transition system from the specification
+ Input: a FIL specification 
+
+
+
+
Output: the set Graph_Nodes
Rooted in Gerth et al.’s algorithm [8]
Name
Incoming
New
N1
{init}

Old
Next


Expansion order: Depth First Search
Analysis of each formula in the field New
+
+
+
The node is updated
The node is divided
The node is discarded
5. ALGORITHM
Tableau expansion rules
+
All the nodes are created from the initial node using expansion rules,
such as the following ones:

New1()
New2()
New3()
New4()
Newc()
Nextc ()
1
2

—
—
—
—
{, }
—

{}
—
—
—
{}
—
3
[,q1|)
{, [q1|)}
{, T}
{[,q1|)F, T}
{[ |)F, T}
4
[,q1|) {, [q1|)}
—
—
—
5
6
{, , [,q1|)F,
[ |)F}
{, , [,q1|)F,
 [|)F}
{}
{}
[ |)F
—
—
—
—
{}
{}
[ |)F
{, T }
—
—
—
{}
{}
1
+
2
3
4
5
6
Expansion rules derived from the reduction relation and the FIL
semantics [14], so that:
  i (Newi)  (Newc()  XNextc())
7
5. ALGORITHM
An example of graph construction
+
+
+
+
+
Input:
Output:
 = {[b|)F} = {b}
Graph_Nodes
Name
Incoming
New
Old
Next
N2
{init, N2}

N3
{init, N2}

{[b|)F , b}

N4
{N3, N4}



{[b|)F , b} {[b|)F }
MIncoming(N)  transition MN
initIncoming(N)  N is an initial node
Label of node N:  literals(Old(N))
N2 {b}
N3
N4 T
{b}
5. ALGORITHM
Phase 2: Transforming
the graph into the Büchi automaton
+
+
+
The graph obtained allows some runs inducing sequences that are
not models of the specification 
Solution: to impose generalized Büchi acceptance conditions
Acceptance condition (AC) is defined by each set of
eventuality formulas that share their last search 
ACi
+
{ [qi,1, i|)F, [qi,2, i|)F, …, [qi,n, i|)F}
A node satisfies the condition defined by an acceptance set if:
+
+
Either if does not promise any of the eventuality formulas in the
acceptance set
or it immediately satisfies the eventualities from this set that it
promises
5. ALGORITHM
Determining the accepting states
+
Accepting states determination procedure
1. Search all the eventuality formulas in the set Graph
2. Define acceptance conditions
3. A node will satisfy an acceptance condition if it does
not contain any of its eventualities in the field Next
Name Incoming
New
Old
Next
N2
{init, N2}

{[b|)F, b}
{[b|)F}
N3
{init, N2}

{[b|)F, b}

N4
{N3, N4}



AC0
{[b|)F} ; N3, N4 sat AC0  N2 sat AC0
N2 {b}
N3
N4 T
{b}
5. ALGORITHM
Obtaining a single set of accepting
states
Labelled Generalized Buchi Automaton (S, R, L, I, F), F = {F1, F2, …, Fk}
S is accepting iff  Fi  F, inf ()  Fi  
+
Possible scenarios
+
+
+
+
k = 0, satisfied by formulas of type I F and purely
propositional ones
k = 1, the LGBA coincides with an LBA
k > 1, we must obtain a single set of accepting states F
Determination of F
+
For Büchi automata representing FIL formulas, it always hold
that F = Fi
6. MEASUREMENTS & CONCLUSIONS
Measurements of the automaton
generation
Specification () in the syntax of FIL
Restricted
Extended
[a|)F
a
[a|)F
a
[a|b)[c|)F
[a|b) c
[[a|)F|)F 
a b
[[b|)F|)F
+
+
+
Size
Nodes Edges
Accepting states
k
|Fi|
|Fi|
1
3
5
2
6
10
0
1
2
2
4, 2
2
5
15
3
3, 4, 4
2
Quite a bit smaller automata than with global construction
(local automaton + eventuality automaton).
For simple specifications, similar measurements than those
obtained with Gerth et al.’s algorithm for LTL.
For complex specifications, FIL formulas are more concise and
easier to interpret than LTL ones  less complex automata.
6. MEASUREMENTS & CONCLUSIONS
Conclusions
+
Algorithm for generating a semantically
equivalent automaton from a FIL specification
+
+
+
Improvements on Gerth et al.’s algorithm [8] to obtain
smaller automata
Our tableau rules succinctly codify the notion of
limited temporal scope
Intended for on-the-fly model checking
+
+
+
Explore the state space in a demand-driven manner
Avoid the whole state space construction
First on-the-fly tableau algorithm for an interval logic
References
+
+
+
+
[3] C.Courcoubetis, O.Grumberg and D. Peled “Memory-efficient algorithms for the
verification of temporal properties”, Formal Methods in System Design, 1, 1992,
pp.275-288.
[8] R.Gerth, P.Peled, M.Y.Vardi, P.Wolper, “Simple On-the-Fly Automatic Verification
of Linear Temporal Logic”, Proceedings of the 15th International Symposium on
Protocol Specification, Testing and Verification, Warsaw, Poland, June 1995, pp.3-18.
[9] M.Hornos, M.I. Capel, “Automata Generation for On-the-Fly Automatic
Verification Using Formulas of an Interval Logic”, 2nd International Conference on
Application of Concurrency to System Design, Newcastle Upon Tyne, U.K., June 2001,
pp.221-230.
[14] Y.S.Ramakrishna, P.M.Melliar-Smith, L.E.Moser and L.K.Dillon and G.Kutty,
“Interval Logics and their Decision Procedures. Part I: An Interval Logic”, Theoretical
Computer Science, 166, 1996, pp.1-47.
END OF PRESENTATION
On-the-fly Model Checking from
Interval Logic Specifications
Manuel I. Capel & Miguel J. Hornos
Dept. Lenguajes y Sistemas Informáticos
Universidad de Granada
(Spain)
E-mail: {mcapel, mhornos}@ugr.es