Fro

mM

odelCheckin

gto

Pro

of

Checkin

g...

and

Back

Kedar

Nam

josh

iBell

Labs

April29,2005

Abstr

action◦

ModelCheckin

g=

Deductive

Pro

of

Cer

tifyi

ng M

odel

Che

cker

MO

DE

L C

HE

CK

ING

PR

OO

F C

HE

CK

ING

Abs

trac

tion

Proo

f Lif

ting

Com

plet

enes

s

M`φ

M|=φ

M`φ

M|=φ

I.Fro

mM

odelCheckin

gto

Pro

ofCheckin

g

We

show

how

tobuild

a“cert

ifyin

g”

modelchecker,

one

that

genera

tes

apro

of

toju

stify

its

resu

lt.

Why

both

er?

•Pro

ofs

genera

lize

counte

rexam

ple

traces

for

failure

•A

pro

of

isan

independently-c

heckable

cert

ificate

for

success

(thin

kPCC

for

tem

pora

lpro

pert

ies)

•A

pro

of

isa

convenie

nt

data

stru

ctu

refo

rin

tera

ctive

explo

ration

and

incre

menta

lm

odelcheckin

g

CT

LBasics

The

CT

Llo

gic

isbuiltoutofato

mic

pro

positions,

boole

an

opera

tors

,and

the

tem

pora

lopera

tors

EX(φ

)(“φ

hold

sof

som

esu

ccess

or”

),E(φ

Wψ)

(“φ

unle

ssψ”),

and

E(φ

Uψ)

(“φ

untilψ”).

Som

ederived

opera

tors

:

EF(φ

)(“φ

isre

achable

”)

=E(t

rueUφ)

AX(φ

)(“

all

success

ors

satisf

yφ)

=¬

EX(¬φ)

AG(φ

)(“φ

isin

variant”

)=

¬EF(¬φ)

CT

Lvia

fixpoin

ts

The

basic

CT

Lopera

tors

can

be

defined

as

fixpoin

tsof

EX-form

ula

s.

•EF(φ

)=

(minZ

:φ∨

EX(Z

))

•E(φ

Wψ)=

(max

Z:ψ∨

(φ∧

EX(Z

)))

Fix

poin

tfo

rmula

scan

be

re-w

ork

ed

into

ast

ructu

rally

sim

-

ple

nota

tion:

altern

ating

auto

mata

.

Sim

ple

Altern

ating

Auto

mata

(SAA)

ASAA

isju

stlike

an

NFA,exceptth

atth

etr

ansition

func-

tionδ

maps

ast

ate

toa

boole

an

form

ula

over

ato

mic

pro

positions

and

EX.

E.g

.,EF(P

)has

a3-s

tate

auto

mato

n,w

ith

initia

lst

ate

q 0

δ(q

0)=q 1

∨q 2

;δ(q

1)=P;δ(q

2)=

EX(q

0)

This

isju

stth

epars

egra

ph

of(m

inZ

:P

∨EX(Z

)).

The

(Büchi)

accepta

nce

set,F,is

em

pty

.

Theore

m0

Every

CT

Lfo

rmula

can

be

repre

sente

dby

an

SAA

ofpro

port

ionalsize.

An

Auto

mato

n-b

ased

pro

ofsyste

m

To

show

thata

pro

gra

mM

with

state

setS

and

transition

rela

tionR

satisfi

es

an

auto

mato

npro

pert

y(Q,q̂,δ,F

)we

need,fo

reach

auto

mato

nst

ate

q:

•An

invariance

pre

dic

ate

,φq⊆S,and

•A

part

ialra

nk

function,ρq:S→

N

Roughly

speakin

g,th

ein

variance

ass

ert

ions

state

that

any

(reachable

)st

ate

ofM

satisf

yin

gq

falls

within

the

“sa

fe”

setφq.

The

rank

function

mark

sth

e“dista

nce”

tore

achin

g

aBüchist

ate

;it

isre

-set

when

the

dista

nce

is0.

Conditio

ns

fora

valid

Pro

of

�Consist

ency:ρq

isdefined

for

every

state

inφq

�In

itia

lity

:Every

initia

lst

ate

ofM

satisfi

esφq̂

�Safe

tyand

Pro

gre

ss:

Base

donδ(q

)

•l(a

lite

ral):φq(s

)⇒

l(s)

,fo

ralls.

•(∨j:q j

):(s

imilarly

for∧

)φq(s

)⇒

(∃j:φq j(s

)∧

(ρq j(s

)<qρq(s

)))

•EX(r

):(s

imilarly

for

AX)

φq(s

)⇒

(∃t:sRt:φr(t

)∧

(ρr(t

)<qρq(s

)))

The

rela

tiona<qb=

ifq6∈F

thena<bels

etr

ue

Pro

gre

ssand

safe

tyhave

tobe

checked

togeth

er

because

ofth

eEX

and∨

opera

tors

.

Genera

ting

aPro

of-I

Key:

modelcheck

with

auto

mata

inst

ead

ofCT

L

1.

Turn

CT

Lsp

ecifi

cation

into

asim

ple

auto

mato

n

2.

Form

an

AND

-OR

pro

duct

gra

ph

of

the

pro

gra

mM

and

auto

mato

nA

3.

Check

the

canonic

al

pro

pert

y:

does

Pla

yer

Ihave

a

win

nin

gst

rate

gy?

WI

=m

axZ;m

inY

:

tt∨

(OR∧

(F⇒

EX(Z

))∧

(¬F

⇒EX(Y

)))∨

(AND

∧(F

⇒AX(Z

))∧

(¬F

⇒AX(Y

)))

Genera

ting

aPro

of-II

Now

set:

1.

the

invariantφq

tobe{s

:(s,q

)∈WI}

2.

the

rankρq(s

)to

the

index

of

the

earlie

stst

age

forY

where

(s,q

)is

added,during

the

last

Zitera

tion.

This

work

s!

Theore

m1

The

pro

of

syst

em

isso

und

and

(rela

tively

)

com

ple

te.

Genera

ting

Pro

ofs

-IV

Pro

ble

m:

we

do

not

know

befo

re-h

and

wheth

erth

echeck

succeeds

or

fails.

Imm

edia

teSolu

tion:

Genera

tepro

ofs

aft

er

norm

alm

odel

checkin

g.

(this

requires

two

runs

ofth

em

odelchecker)

Bett

er

Solu

tion?

Explo

itduality

.IfWI

fails

tohold

of

all

initia

lst

ate

s,th

en

its

dual,WII,

hold

sof

som

ein

itia

l

state

.So

keep

appro

xim

ations

for

both

YandZ,and

use

whic

hever

isappro

priate

at

the

end.

ASim

ple

Exam

ple

2-p

rocess

,Ato

mic

Bakery

Pro

tocol

varst

1,st 2

:{N

,W,C}

(*N

=“Non-c

ritical”

,W

=“W

aitin

g”,C=

“Critical”

*)

vary1,y

2:natu

ral

init

ially

(st 1

=N

)∧

(y1=

0)∧

(st 2

=N

)∧

(y2=

0)

wai

t 1st

1=N

↪→st

1,y

1:=

W,y

2+

1en

ter 1

st1=W

∧(y

2=

0∨y1≤y2)↪→

st1

:=C

releas

e 1st

1=C

↪→st

1,y

1:=

N,0

wai

t 2st

2=N

↪→st

2,y

2:=

W,y

1+

1en

ter 2

st2=W

∧(y

1=

0∨y2<y1)↪→

st2

:=C

releas

e 2st

2=C

↪→st

2,y

2:=

N,0

The

Abstr

acte

dPro

tocol

Abst

raction:b 1

=(y

1=

0);b 2

=(y

2=

0);b 3

=(y

1≤y2)

varst

1,st 2

:{N

,W,C}

varb 1,b

2,b

3:boole

an

initia

lly

(st 1

=N

)∧b 1

∧(st 2

=N

)∧b 2

∧b 3

wai

t 1st

1=N

↪→st

1,b

1,b

2,b

3:=

W,f

alse,b

2,f

alse

ente

r 1st

1=W

∧(b

2∨b 3

)↪→

st1,b

1,b

2,b

3:=

C,b

1,b

2,b

3

releas

e 1st

1=C

↪→st

1,b

1,b

2,b

3:=

N,t

rue,b

2,t

rue

wai

t 2st

2=N

↪→st

2,b

1,b

2,b

3:=

W,b

1,f

alse,t

rue

ente

r 2st

2=W

∧(b

1∨¬b 3

)↪→

st2,b

1,b

2,b

3:=

C,b

1,b

2,b

3

releas

e 2st

2=C

↪→st

2,b

1,b

2,b

3:=

N,b

1,t

rue,b

1

Abstr

act

Pro

of

(W C

ff

ff f

f)

(N N

tt tt

tt)

(W N

ff

tt ff

)

(N W

tt f

f tt)

(C N

ff

tt ff

)(W

W f

f ff

tt) (W

W f

f ff

ff)

(N C

tt f

f tt)

(C W

ff

ff tt

)

For

the

mutu

alexclu

sion

pro

pert

yφ

=AG(¬

(C1∧

C2))

,

the

invariants

are

just

the

set

ofre

achable

state

s.

Concre

tizin

gth

isPro

of

Letξ

be

asim

ula

tion

rela

tion

fromM

toM

.A

pro

of(φ,ρ

)

onM

can

be

concre

tized

toa

pro

of(φ′ ,ρ′ )

onM

by

lett

ing

φ′ q(s)

≡(∃t:sξt:φq(t

)),and

ρ′ q(s)

=(m

int:sξt∧φq(t

):ρq(t

))

So:

φ′ q(st

1,st 2,y

1,y

2)

=(b

ydefinitio

n)

(∃b 1,b

2,b

3:b 1≡

(y1

=0)∧b 2≡

(y2

=0)∧b 3

=(y

1≤y2)∧

φq(st 1,st 2,b

1,b

2,b

3))

=(s

implify

ing)

φq(st 1,st 2,(y1

=0),

(y2

=0),

(y1≤y2))

Sum

mary

:Pro

ofG

enera

tion

•It

isposs

ible

todesign

am

odelcheckerw

hic

hgenera

tes

an

independently

checkable

pro

ofofits

resu

lts.

•T

his

can

be

done

quite

easily

:CO

SPAN

modifi

cation

(experim

enta

l)about

200

lines

ofC.

•G

enera

ted

pro

ofs

have

severa

lapplications

...

and

per-

haps

som

eas-

yet-

unknow

nones!

Abstr

action◦

ModelCheckin

g=

Deductive

Pro

of

Cer

tifyi

ng M

odel

Che

cker

MO

DE

L C

HE

CK

ING

PR

OO

F C

HE

CK

ING

Abs

trac

tion

Proo

f Lif

ting

Com

plet

enes

s

M`φ

M|=φ

M`φ

M|=φ

II.Com

ple

teness

ofVerification

via

Abstr

action

(jo

int

work

with

Dennis

Dam

s)

Giv

en:

Pro

gra

mM

,pro

pert

yφ;to

checkM

|=φ

Const

ruct

Abst

raction:

afinite

pro

gra

mM

ModelCheck:

wheth

erM

|=φ

An

Abst

raction

Fra

mework

specifi

es

the

pre

cise

rela

tion-

ship

betw

eenM

andM

.

Soundness

:fo

ranyM,φ

:ifM

|=φ,th

enM

|=φ

Com

ple

teness

:fo

ranyM,φ

:ifM

|=φ,

there

exists

an

abst

ractionM

such

thatM

|=φ

Sum

mary

ofNew

Results

Forpro

pert

ies

expre

ssed

inbra

nchin

gtim

ete

mpora

llo

gic

s

(e.g

.,CT

L,CT

L∗ ,

or

theµ-c

alc

ulu

s)

*Negative:

Severa

lwell-s

tudie

dabst

raction

fram

ework

s

are

incom

ple

te.

Exam

ple

s:bisim

ula

tion

[Milner7

1],

modal

transition

syst

em

refinem

ent

[Lars

en-T

hom

sen88].

This

hold

s

even

with

enhancem

ents

such

as

fairness

or

stutt

ering.

*Positive:

Asim

ple

exte

nsion

of

modaltr

ansition

sys-

tem

sw

ith

new

focus

opera

tions

giv

es

rise

toa

com

ple

te

fram

ework

.

This

isin

tim

ate

lyconnecte

dto

the

repre

senta

tion

ofpro

p-

ert

ies

by

finite

tree

auto

mata

.

Com

ple

teness

and

“Sm

all

Model”

Theore

ms

Sm

all

ModelT

heore

m[H

oss

ley-R

ackoff

72,Em

ers

on85]:

Any

satisfi

able

pro

pert

yofth

eµ-c

alc

ulu

shas

afinite

model.

Why

doesn

’tth

isse

ttle

the

quest

ion?

...

because

the

small

modelneed

not

abst

ractM

.

Exam

ple

:{Q}

NM

{Q}

Nis

asm

all

modelfo

rth

epro

pert

y“th

ere

isa

reachable

Q-s

tate

”

BuN

andM

are

unre

late

dby,

say,

sim

ula

tion

or

modal

refinem

ent.

ModalTra

nsitio

nSyste

ms

[Lars

en-T

hom

sen

1988]

A(K

ripke)

MT

Sis

atr

ansition

syst

em

with

•tw

otr

ansition

rela

tions:

may

(over-

appro

xim

ate

)and

must

(under-

appro

xim

ate

)tr

ansitions,

with

must⊆

may

•a3-v

alu

ed

(tru

e,f

alse,⊥

)pro

positionalvalu

ation

atst

ate

s

For

tem

pora

llo

gic

s,existe

ntialpath

modalities

(e.g

.,EX)

are

inte

rpre

ted

overm

ust

-tra

nsitions;

univ

ers

alpath

modal-

itie

s(e

.g.,

AX)

over

may-t

ransitions.

The

outc

om

eofm

odelcheckin

gis

also

3-v

alu

ed.

Abstr

action

with

MT

S’s

Ifcva

then:

–∀c′ :

c−→

c′⇒

(∃a′ :

amay

−→a′∧c′va′ )

–∀a

′ :amust

−→a′⇒

(∃c′

:c−→

c′∧c′va′ )

Program

M

integer

x;

L1:

{x

is

even}

L2:

if

(*)

then

x:=

x+2

else

x:=

x+4;

L3:

mus

t tra

nsiti

on

may

tran

sitio

n

{L2,e

ven(x

)}

{L3,e

ven(x

)}{L

3,d

iv3(x

)}

Incom

ple

teness

ProgramM

L0:initially

even(x)

L1:while

(x>

0)

do

x:=x-2od;

L2:x

:=-1

. . .

2n

L1:L0:

L2:

20

4

−1

. . .

Letφ=

E(e

ven(x

)W(x<

0))

.

Theore

m2

No

finite

MT

Sabst

ractsM

and

satisfi

esφ.

Pro

of

by

contr

adic

tion.

The

pro

pert

yhold

sfo

rm

ust

-path

sin

M;

soeither

(i)

even

(x)

hold

sfo

rever,

or

(ii)

by

finiteness

,x

isnegative

within

abounded

num

ber

of

steps.

The

must

-abst

raction

enfo

rces

these

pro

pert

ies

at

every

initia

lst

ate

ofM

,a

contr

adic

ation!

Consequences

and

Variations

(Bi-)s

imula

tion

isa

specia

lcase

ofM

TS

refinem

ent.

Hence,

Coro

llary

0Abst

raction

with

revers

esim

ula

tion

or

bisim

-

ula

tion

isin

com

ple

tefo

rexiste

ntialCT

Lpro

pert

ies.

With

aslig

ht

modifi

cation

toth

eexam

ple

:

Theore

m3

Abst

raction

by

MT

S’s

with

fairness

or

stut-

tering

isalso

incom

ple

tefo

rexiste

ntialCT

Lpro

pert

ies.

Am

ore

ela

bora

tepro

pert

ysh

ow

sth

atth

esa

me

resu

ltscan

be

obta

ined

even

ifM

has

asingle

initia

lst

ate

.

Sta

te-o

f-th

e-a

rtfo

rCom

ple

teness

*M

odelAbstr

action:

abst

ract

the

model,

pre

serv

eth

e

pro

pert

y

–ACT

L,A

CT

L∗ :

fair

sim

ula

tion

[Gru

mberg

-Long

1994,K

upfe

rman-

Vard

i1997]

–µ-c

alc

ulu

s:fa

irFocuse

dTra

nsition

Syst

em

abst

raction

*G

am

eAbstr

action:

abst

ractth

em

odel-checkin

ggam

e,

pre

serv

eth

ew

innin

gconditio

n.

–linear-

tim

e:

fair

sim

ula

tion

[Uribe

1999,K

est

en-P

nueli

2000,

Kest

en-P

nueli-V

ard

i2001]

–µ-c

alc

ulu

s:fa

iraltern

ating

refinem

ent+

choic

e[N

am

josh

i

2003]

The

Need

forFocus

Opera

tions

Tra

nsitionamust

−→b

exists

only

ifevery

c:cva

has

atr

an-

sition

toa

state

abst

racte

dbyb.

This

forc

es

any

abst

ract

MT

Sfo

rour

exam

ple

tobe

in-

finite.

E.g

.,L1

:ev

en(x

)must

6−→L2

:(x<

0);

soth

eso

urc

e

must

be

split;

say

toL1

:(x<

0),L1

:(x

≥0)∧

even

(x).

But

againL1

:(x

≥0)∧

even

(x)must

6−→(x<

0).

Can

one

som

ehow

rela

xth

em

ust

-tra

nsition

definitio

n?

(Such

are

laxation

must

pre

serv

eso

undness

.)

Altern

ating

Auto

mata

An

altern

ating

auto

mato

nfo

rE(e

ven(x

)W(x<

0))

OK

OK

∨

EX

∧

q 1

q 3

q 2

q 4

q 0

(x<

0)

even

(x)

During

modelcheckin

g,

each

auto

mato

nst

ate

isass

oci-

ate

dw

ith

ase

tofpro

gra

mst

ate

s.

Can

an

auto

mato

nbe

vie

wed

asan

abst

racttr

ansition

sys-

tem

?

Focus

Ste

ps

Afo

cus

step

splits

an

abst

ract

state

into

ase

tof

more

pre

cise

abst

ract

state

s(c

ase

-splitt

ing).

AFocuse

dTra

nsition

Syst

em

(FT

S)is

an

MT

Sw

ith

focus

and

(dual)

de-focus

steps.

For

our

exam

ple

:

a4

FO

CUS

MUST

DEFO

CUS

{eve

n(x

)}

{(x<

0)}

a0

a1

a2

a3

a0

:L0,L

1:ev

en(x

),L2

:(x<

0)

a1

:L2

:(x<

0)

a2

:L0,L

1:ev

en(x

)

a3

:L0,L

1:ev

en(x

)

a4

:L0,L

1:ev

en(x

)

Note

the

sim

ilarity

toth

eauto

mato

n—

this

isno

accid

ent.

Com

ple

teness

via

Auto

mata

Theore

m4

For

anyM

and

anyµ-c

alc

ulu

spro

pert

yφ,if

M|=φ,th

ere

isa

finite

FT

SM

such

thatM

both

abst

racts

Mand

satisfi

esφ.

The

FT

SM

may

be

obta

ined

by:

(i)

convert

ingφ

toa

finite

altern

ating

tree

auto

mato

nAφ,th

en

(ii)

convert

ing

Aφ

toan

FT

SÂφ

(roughly

)as

follow

s.

AX-m

ove⇒

may

transition

EX-m

ove⇒

must

transition

∨-m

ove⇒

focus

transition

∧-m

ove⇒

de-focus

transition

accepta

nce

conditio

n⇒

fairness

conditio

n

Maxim

alM

odels

Notice

thatM

=Âφ

isin

dependent

ofM

!T

hus,Âφ

isa

maxim

alm

odelfo

rφ

By

resu

lts

of

[Em

ers

on-J

utla

1991],

this

maxim

alm

odelhas

size

linear

inth

esize

ofφ.

Maxim

al

model

resu

lts

for

ACT

L,

ACT

L∗

[Gru

mberg

-Long

1994,K

upfe

rman-V

ard

i1997]re

quire

exponential-size

models.

Maxim

alm

odels

reduce

modelcheckin

gto

sim

ula

tion-c

heckin

g.

Com

ple

teness:

Sum

mary

•M

ay-M

ust

abst

raction

does

not

guara

nte

eth

eexis-

tence

offinite

abst

ractionsfo

rexiste

ntialte

mpora

lpro

p-

ert

ies.

•T

he

key

toobta

inin

gcom

ple

teness

seem

sto

be

ano-

tion

of�-

state

-splitt

ing

we

call

afo

cus

step.

•FT

S’s

are

intim

ate

lyconnecte

dto

altern

ating

tree

au-

tom

ata

.It

turn

sout

[Dam

s-Nam

josh

i,VM

CAI2005]th

at

non-d

ete

rmin

istic

auto

mata

suffi

ce.

Ineffect:

transi-

tion

syst

em

s+

fairness

+choic

e

•FT

S’s

also

ensu

rem

ore

pre

cisio

nin

must

-abst

ractions.

(cf.

[de

Alfaro

-Godefroid

-Jagadeesa

n,LIC

S2004])

To

sum

up

Model

Checkin

gand

Pro

of

Checkin

gare

clo

sely

linked,

with

Abst

raction

as

the

“glu

e”.

(Part

ial)

Refe

rence

List

I.Fro

mM

odelCheckin

gto

Pro

ofCheckin

g

[Ste

vens-

Stirlin

g,TACAS

1998]Pra

cticalM

odel-Checkin

gUsing

Gam

es

[Nam

josh

i,CAV

2001]Cert

ifyin

gM

odelCheckers

[Pele

d-Z

uck,SPIN

2001]Fro

mM

odelCheckin

gto

aTem

pora

lPro

of

[Pele

d-P

nueli-Z

uck,FST

TCS

2001]Fro

mFalsifi

cation

toVerification

[Cla

rke-J

ha-L

u-V

eith,LIC

S2002]Tre

e-lik

eCounte

rexam

ple

sin

Model

Checkin

g

[Tan-C

leavela

nd,CAV

2002]Evid

ence-B

ase

dM

odelCheckin

g

[Henzin

ger-

Jhala

-Maju

mdar-

Necula

-Sutr

e-W

eim

er,

CAV

2002]Tem

pora

l-

Safe

tyPro

ofs

for

Syst

em

sCode

[Gurfi

nkel-Chechik

,TACAS

2003]Pro

of-like

counte

rexam

ple

s

[Nam

josh

i,VM

CAI

2003]Lifting

Tem

pora

lPro

ofs

thro

ugh

Abst

rac-

tions

[Nam

josh

i,CAV

2004]An

Effi

cie

ntly

Checkable

,Pro

of-Base

dForm

u-

lation

ofVacuity

inM

odelCheckin

g

Refe

rence

List-

II

II....

and

Back

[Uribe,T

hesis

2000]Abst

raction-B

ase

dD

eductive-A

lgorith

mic

Verifi-

cation

ofReactive

Syst

em

s

[Kest

en-P

nueli,

Inf.

Com

p.

2000]Verification

by

augm

ente

dfinitary

abst

raction

[Nam

josh

i,CAV

2003]Bra

nchin

g-T

ime

Abst

raction

[Dam

s-Nam

josh

i,LIC

S2004]T

he

Existe

nce

ofFin

ite

Abst

ractionsfo

r

Bra

nchin

gT

ime

ModelCheckin

g

[Dam

s-Nam

josh

i,VM

CAI2005]Auto

mata

as

Abst

ractions

...

Additio

nalSlides

...

FT

S’s

and

Disju

nctive

MT

S’s

[Lars

en-X

inxin

1990]

DM

TS’s

intr

oduced

toguara

nte

ea

solu

tion

toCCS

equa-

tions

ofth

efo

rm{C

i(X

)=Ei}

DM

TS’s

splita

must

-tra

nsition

into

case

s:in

stead

ofamust

−→b,

allowamust

−→{B

0,B

1,...}

where

theBiare

sets

ofabst

ract

state

s.

Re-d

iscovere

din

[Shoham

-Gru

mberg

2004,

de

Alfaro

-Godefroid

-

Jagadeesa

n2004]fo

rin

cre

asing

the

pre

cisio

nofabst

ractions.

FT

S’s

are

diff

ere

nt

inth

at

one

firs

tsp

lits

state

,th

en

con-

stru

cts

ord

inary

must

transitions.