Model Checking in the Propositional µ-Calculus
Ka I Violet Pun
INF 9140 - Specification and Verification of Parallel Systems
13th May, 2011
Overview
Model Checking is a useful means to automatically ascertainthe specification of a system
Use logics to specify the properties of a systemUse a decision procedure to decide if the system satisfies thespecification
Propositional µ-Calculus
Branching time temporal logicExpressive logic: many branching time logics can be translatedinto this logicFully characterize the behaviour of finite-state processes
Tableau-based proof system
Top-down proofsDetermine whether states in a finite-state system satisfypropositions specified in µ-calculus
Violet Pun Model Checking in the Propositional µ-Calculus 2 / 24
Syntax
Grammar of the propositions
Φ ::= A | X | ¬Φ | Φ ∨ Φ | 〈a〉Φ | νX .Φ
formula {Φ, . . . , }atomic formulas A = {A, . . . , }propositional variables V = {X , . . . , }actions symbols Act = {a, . . . , }propositional connectives ¬ and ∨modal operator 〈a〉recursion operator ν
Violet Pun Model Checking in the Propositional µ-Calculus 3 / 24
Syntax
Modal operators in µ-calculus are indexed by an action a
[a]Φ can be written as ¬〈a〉¬Φ
Φ ¬Φ
a a
Φ’
b
Figure: 〈a〉Φ
Φ
a a
Φ’
b
Φ
Figure: [a]Φ
Violet Pun Model Checking in the Propositional µ-Calculus 4 / 24
Syntax
Recursion operators are used for recursive formula νX .Φ andµX .Φ,
ν is a greatest fixed point operator
µ is a least fixed point operator
µX .Φ is written as ¬νX .¬Φ[¬X/X ]
Syntactic Restrictions on Φ
Any occurrence of X in Φ must occur inside the scope of an evennumber of negation to maintain monotonicity
Violet Pun Model Checking in the Propositional µ-Calculus 5 / 24
Transition System
Models of µ-calculus is a labelled transition system
A representation of operational behaviour of procecsses
〈S,Act,→〉
S is a set of states {s, . . . }Act is a set of actions {a, . . . }→ is a transition relation on S × Act × S, written as s
a−→ s ′
for some state s ′
Violet Pun Model Checking in the Propositional µ-Calculus 6 / 24
Model of µ-calculus
Models for the µ-calculus is a quadruple of the form
〈S,Act,→,V 〉
〈S,Act,→〉 is a labelled transition system
V is a function, called valuation, maps each A ∈ A to sets ofstates where A holds
Violet Pun Model Checking in the Propositional µ-Calculus 7 / 24
Semantics of the propositions
Semantics of the µ-calculus is written in the form JΦKe
JAKe = V (A)
JX Ke = e(X )
J¬ΦKe = S − JΦKe
JΦ1 ∨ Φ2Ke = JΦ1Ke ∪ JΦ2Ke
J〈a〉ΦKe = ϕa(JΦKe), where ϕa(S) = {s ′ | ∃s ∈ S .s ′ a−→ s}
JνX .ΦKe =⋃{S ⊆ S | S ⊆ JΦKe[X 7→ S ]}
Remarks
1 e is an environment which maps variables to sets of states
2 e[X 7→ S ] represents the environment e with variable Xreplaced by S
Violet Pun Model Checking in the Propositional µ-Calculus 8 / 24
Lattice
For any set χ,〈2χ,⊆,∪,∩〉
is a complete lattice where
2χ a set
⊆ ordering relation
〈2χ,⊆〉 is a partially ordered set
∪ the least upper bound
∩ the greatest lower bound
Violet Pun Model Checking in the Propositional µ-Calculus 9 / 24
Fixed points
A fixed point of a function φ over a lattice is
φ(S) = S , where S ⊆ χ
and a set of fixed points is written as
{S ⊆ χ | φ(S) = S}
A greatest fixed point, X, of φ is
X ∈ {S ⊆ χ | φ(S) = S}∃X ′,X ′ ∈ {S ⊆ χ | φ(S) = S},X ′ ⊆ X
A least fixed point, X, of φ is
X ∈ {S ⊆ χ | φ(S) = S}∃X ′,X ′ ∈ {S ⊆ χ | φ(S) = S},X ⊆ X ′
Violet Pun Model Checking in the Propositional µ-Calculus 10 / 24
Fixed points
A function φ is monotone over a lattice if
X1 ⊆ X2
φ(X1) ⊆ φ(X2)
Tarski’s Fixed Point Theorem
If the function φ over a lattice is monotonic, then it has
Greatest fixed point νφ⋃{S ⊆ χ | S ⊆ φ(S)}
Least fixed point µφ⋂{S ⊆ χ | φ(S) ⊆ S}
Violet Pun Model Checking in the Propositional µ-Calculus 11 / 24
Fixed points
For µ-calculus, given an environment e, a function φ is defined by
φ(S) = JΦKe[X 7→ S ]
Syntactic Restrictions on Φ
Any occurrences of X in Φ must occur inside the scope of an evennumber of negation
guarantees function φ over a lattice defined by 2S to bemonotonic, because
¬ is anti-monotonic
Hence, φ has a greatest fixed point νφ.
Violet Pun Model Checking in the Propositional µ-Calculus 12 / 24
Fixed points
〈2S ,⊆,∪,∩〉 is finite
every monotonic function over a finite complete lattice iscontinuous
Kleene’s Fixed Point Theorem
The greatest/least fixed point of a continuous funtion φ
νφ =⋂∞
i=0 φi
µφ =⋃∞
i=0 φ′i
where φ0 = Sφi+1 = φ(φi )φ′0 = ∅
φ′i+1 = φ(φ′i )
Violet Pun Model Checking in the Propositional µ-Calculus 13 / 24
Fixed points
!" = ⋃!!!! !′!
!" = ⋂!!!! !!
∅
!
!(!!)
⋂!!!! !!
⋃!!!! !′!
!(!′!)
! ⊆ ! ! ! = !}
! ⊆ ! ! ⊆ !(!)}
! ⊆ ! !(!) ⊆ !}
!" = ⋂ ! ⊆ ! ! ! = !} = ⋂ ! ⊆ ! !(!) ⊆ !}
!" = ⋃ ! ⊆ ! ! ! = !} = ⋃ ! ⊆ ! ! ⊆ !(!)}
Violet Pun Model Checking in the Propositional µ-Calculus 14 / 24
The Tableau-Based Proof System
The proofs are conducted in a top-down fashion: conclusionsabove premises
A decision procedure to determine if states have propertiesspecified
Not necessary to examine every state in the system
Reuse information computated in one phase of the tableauconstruction process
Violet Pun Model Checking in the Propositional µ-Calculus 15 / 24
The Tableau-Based Proof System
Proof rules operate on sequents
Sequents
H `M s ∈ Φ
M is a model
s is a state from M
H is a set of hypotheses {s ′:Γ}s ′ a stateΓ a closed recursive formula
written as σ, . . . , for short
Violet Pun Model Checking in the Propositional µ-Calculus 16 / 24
The Tableau-Based Proof System
Tableau for a sequent σ is a maximal proof tree constructed by thetableau rules and having σ as the root
Given a sequent σ′ that is resulting from applying a rule to σ,
σ′ is the child of σσ is the parent of σ′
a sequent in a tableau is a leaf if it does not have any children
the height of a tableau is the length of the longest sequence〈σ0, σ1, . . . 〉
Violet Pun Model Checking in the Propositional µ-Calculus 17 / 24
The Tableau-Based Proof System
Definition
A leaf H ` s ∈ Φ is successful if
1 Φ ∈ A and s ∈ V (Φ), or
2 Φ is ¬A for some A ∈ A and s 6∈ V (A), or
3 Φ is ¬〈a〉Φ′ for some a and Φ′, or
4 Φ is νX .Φ′ when s : νX .Φ ∈ H for some X and Φ′
A tableau is successful when all its leaves are successful
A sequent σ has a proof if it has a successful tableau
Violet Pun Model Checking in the Propositional µ-Calculus 18 / 24
Tableau rules for the propositional µ-calculus
R1
H ` s ∈ ¬¬Φ
H ` s ∈ Φ
R2
H ` s ∈ Φ1 ∨ Φ2
H ` s ∈ Φ1
R3
H ` s ∈ Φ1 ∨ Φ2
H ` s ∈ Φ2
R4
H ` s ∈ ¬(Φ1 ∨ Φ2)
H ` s ∈ ¬Φ1,H ` s ∈ ¬Φ2
R5
H ` s ∈ 〈a〉Φ(s′ ∈ {s′ | s a−→ s′})
H ` s′ ∈ Φ
R6
H ` s ∈ ¬〈a〉Φ({s1, s2, ...} = {s′ | s a−→ s′})
H ` s1 ∈ ¬Φ,H ` s2 ∈ ¬Φ, . . .
R7
H ` s ∈ νX .Φ(s : νX .Φ 6∈ H)
H′ ∪ {s : νX .Φ} ` s ∈ Φ[νX .Φ/X ]
R8
H ` s ∈ ¬νX .Φ(s : νX .Φ 6∈ H)
H′ ∪ {s : νX .Φ} ` s ∈ ¬Φ[νX .Φ/X ]
where H′ = H − {s′ : Γ | νX .Φ ≺ Γ}
Violet Pun Model Checking in the Propositional µ-Calculus 19 / 24
Tableau rules for the propositional µ-calculus
R7
H ` s ∈ νX .Φ(s : νX .Φ 6∈ H)
H′ ∪ {s : νX .Φ} ` s ∈ Φ[νX .Φ/X ]
where H′ = H − {s′ : Γ | νX .Φ ≺ Γ}
A state satisifes a recursive property if it satisfies the unrolling ofthe property.
Assumptions involving formulas having the the recursiveformula as a subformula are removed.
Violet Pun Model Checking in the Propositional µ-Calculus 20 / 24
Model Checking Algorithm
Example algorithm: a simple straightforward procedure
Violet Pun Model Checking in the Propositional µ-Calculus 21 / 24
Model Checking Algorithm
The simple algorithm is not efficient
Exponential behaviour for formulas
Reason:
Nested modal operator
No provision for storing the reseults of sequents whose truthhas been determined
Violet Pun Model Checking in the Propositional µ-Calculus 22 / 24
Possible solution
Save the result from the previous computation and look it uplater
Truth of sequents can be deduced solely based on the truth ofthe other sequents
Suppose that H ` s ∈ νX .Φ has a successful tableau. ThenH ∪ {s : νX .Φ} ` s ′ ∈ Γ has a successful tableau if and only ifH ` s ′ ∈ Γ does.
Violet Pun Model Checking in the Propositional µ-Calculus 23 / 24
References I
[Cleaveland, 1990] Cleaveland, R. (1990).
Tableau-based model checking in the propositional mu-calculus.
Acta Informatica, 27:725–747.
[Emerson, 1997] Emerson, E. A. (1997).
Model checking and the mu-calculus.
In DIMACS Series in Discrete Mathematics, pages 185–214. AmericanMathematical Society.
[Nielson et al., 1999] Nielson, F., Nielson, H.-R., and Hankin, C. L.(1999).
Principles of Program Analysis.
Springer-Verlag.
Violet Pun Model Checking in the Propositional µ-Calculus 24 / 24