1 / 73

¹ - Calculus

¹ - Calculus. Based on: “Model Checking”, E. Clarke and O. Grumberg (ch. 6, 7) “Symbolic Model Checking: 10^20 States and Beyond”, Burch, Clark, et al “Introduction to Modal Mu-Calculi”, J. Bradfield and C. Stirling. Agenda. Review Some fixpoint theory Syntax and semantics of ¹ -Calculus

careyt
Télécharger la présentation

¹ - Calculus

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ¹-Calculus Based on: “Model Checking”, E. Clarke and O. Grumberg (ch. 6, 7) “Symbolic Model Checking: 10^20 States and Beyond”, Burch, Clark, et al “Introduction to Modal Mu-Calculi”, J. Bradfield and C. Stirling

  2. Agenda • Review • Some fixpoint theory • Syntax and semantics of ¹-Calculus • Examples • Symbolic Model Checking • Applications

  3. Reminder: Kripke Structure • M=(S,R,L ) p q p,q AP={p,q}

  4. Reminder: CTL* (I) • State formulae: • p2AP • If f and g are state formulae, so are: fÆg:ffÇg • If f is a path formula, the following are state formulae: Af Ef

  5. Reminder: CTL* (II) • Path formulae: • If f is a state formula, it is also a path formula • If f and g are path formula, so are: fÆg:ffÇg • If f and g are path formula, so are: XfGf Ff fUg fWg f f f f f … f … g f f f g f f f f f f f …

  6. Agenda • Review Some fixpoint theory • Syntax and semantics of ¹-Calculus • Examples • Symbolic Model Checking • Applications 

  7. { 1 , 2 , 3 } { 1 , 2 } { 1 , 3 } { 2 , 3 } { 1 } { 2 } { 3 } ; Fixpoints: definitions (I) • The power-set lattice • Defined over P(S) for some finite set S • Partial order: µ • Example:

  8. Fixpoints: definitions (II) • Predicate transformer: ¿: P(S)!P(S) asdf • F2P(S)is a fixpoint of ¿ iff ¿(F) = F S S ¿

  9. Fixpoints: definitions (III) • F2P(S) is a least fixpoint of ¿ iff • F is a fixpoint of ¿, and • If G is a fixpoint of ¿, then FµG Notation: ¹X . ¿(X) • F2P(S) is a greatest fixpoint of ¿ iff • F is a fixpoint of ¿, and • If G is a fixpoint of ¿, then GµF Notation: ºX . ¿(X) G F

  10. Fixpoint properties (I) • Is there always a fixpoint? • No, e.g.: S{1}P(S) = { ;, { 1 } } ¿(;)  { 1 } ¿({ 1 })  ;

  11. Fixpoint properties (II) • If there is a fixpoint, is there always a least fixpoint? • No, e.g.: S {1, 2} ¿({ 2})  { 2} ¿({ 1})  { 1} ¿(;)  { 1}

  12. Monotonous functions • ¿ is monotonic iff for all FµG : ¿(F)µ¿(G) ¿(G) ¿ G ¿(F) F

  13. Fixpoint properties (IV) • Theorem (Knaster-Tarski): If ¿ is monotonous and S is finite, ¿ has a unique least fixpoint and a unique greatest fixpoint. • Proof: constructive.

  14. Computing least fixpoints Qold:=; Qnew=¿(Qold) while Qold Qnew do Qold:= Qnew Qnew:=¿(Qold) end while return Qnew • Need to show: • Termination • Result is a least fixpoint • Result is unique

  15. Correctness (I) • Qi : the value of Qnew in the i-th iteration Qold := ; Qnew = ¿(Qold) while Qold Qnew do Qold := Qnew Qnew := ¿(Qold) end while return Qnew ¿ ¿ ¿ ¿ … = ; Q0 Q1 Q2 Qn Qn+1 = Q! ¿(;) ¿2(;) ¿n(;) ¿n+1(;)

  16. Correctness (II) • Lemma: QiµQi+1 for all i • Proof by induction: • Base: i=0 Qold := ; Qnew = ¿(Qold) while Qold Qnew do Qold := Qnew Qnew := ¿(Qold) end while return Qnew ¿ ; µ Q0 Q1 (;)

  17. Correctness (III) • Lemma: QiµQi+1 for all i • Proof by induction: • Step: Qold := ; Qnew = ¿(Qold) while Qold Qnew do Qold := Qnew Qnew := ¿(Qold) end while return Qnew ¿ ¿  ? µ µ Qi-1 µQi Qi-1 Qi Qi+1  ¿is monotonic Qi= ¿(Qi-1) µ ¿(Qi) = Qi+1 Induction hypothesis

  18. Correctness (IV) Lemma: QiµQi+1 for all i • Termination: S is finite Qold := ; Qnew = ¿(Qold) while Qold Qnew do Qold := Qnew Qnew := ¿(Qold) end while return Qnew ¿ ¿ ¿ ¿ … = ; µ µ µ µ Q0 Q1 Q2 Qn Qn+1 • Need to show: • ) Termination • Result is a least fixpoint • Result is unique ¿2(;) ¿n(;) ¿n+1(;) ¿(;) 

  19. Correctness (V) • Q! is a least fixpoint: • Let G be some fixpoint. • Need to show: Q !µG • We will show: QiµG for all i • Base: Q0=;µG • Step: Assume QiµG Qi+1= ¿(Qi)µ¿(G) = G Qold := ; Qnew = ¿(Qold) while Qold Qnew do Qold := Qnew Qnew := ¿(Qold) end while return Qnew • Need to show: •  Termination • ) Result is a least fixpoint • Result is unique  

  20. Correctness (VI) • The least fixpoint is unique: • Let F and G be least fixpoints • FµGandGµF )F=G  

  21. The Initial Estimate • We used Q0=; • Can start with any “conservative” estimate • Iµleast fixpoint

  22. Computing greatest fixpoints Qold:=S Qnew=¿(Qold) while Qold Qnew do Qold:= Qnew Qnew:=¿(Qold) end while return Qnew

  23. Agenda • Review • Some fixpoint theory Syntax and semantics of ¹-Calculus • Examples • Symbolic Model Checking • Applications 

  24. ¹-Calculus (I) • Let AP be a set of atomic propositions • LetVAR={Y1, Y2, …} be a set of relational variables • The formulas of ¹-Calculus: • p2AP • Y2VAR • If f and g are formulas, so are fÇg, fÆg, f

  25. ¹-Calculus (II) • The formulas of ¹-Calculus (cont’d): • If f is a formula, so are ¤f and }f • If Y is a relational variable and f is a formula, the following are formulas: • ¹Y . f • ºY . f AX EX x. P(x) ¹Y . f(Y) bind Y A formula is closed if all its fixpoint variables are bound

  26. ¹-Calculus Semantics (I) • For Y2VAR, Y is a formula. • But what does it mean? • e:VAR!2S is an environment • Define: e[QÃW]is e with W substituted for Q • (e[QÃW])(Q) = W • The environment is not needed for closed formulas

  27. ¹-Calculus Semantics (II) • A formula f is interpreted as a set of states in which f is true • Notation: «f¬Me • «p¬Me={s2S|p2L(s)} • «Y¬Me=e(Y) • «:f¬Me=Sn«f¬Me • «fÆg¬Me=«f¬MeÅ«g¬Me • «fÇg¬Me=«f¬Me[«g¬Me M,s ⊨ f s «f¬M

  28. ¹-Calculus Semantics (II) • «}f ¬Me={s|9t:R(s,t)Æt2«f¬Me} • «¤f ¬Me={s|8t:R(s,t)!t2«f¬Me} • «¹Y.f¬Me is the least fixpoint of: ¿(W)=«f¬Me[YÃW] • «ºY.f¬Me is the greatest fixpoint s s «f¬ «f¬

  29. Restrictions on ¹-Calculus • Are all formulae monotonic? • fÆg, fÇg • :f ) fixpoint variables must be under an even number of negations ¹Y.:Y ºY.:(YÇp) ¹Y.:(:YÇp)   ¹Y.:(:YÇp) ¹Y.(::YÆ:p) ¹Y.(YÆ:p) ¹-Calculus is closed under negation  ¿(;)  { 1 } ¿({ 1 })  ;  : 

  30. Agenda • Review • Some fixpoint theory • Syntax and semantics of ¹-Calculus Examples • Symbolic Model Checking • Applications 

  31. Why are fixpoints interesting? • Recall from Logic I: • I( A, P ) : the smallest set W such that • AµW, and • If x2W and f2P then x2W. • I( A, P ) = ¹Y. AÇP( Y ) P A

  32. Intuition for least fixpoints • x2«¹Y .¿(Y)¬ • “Finite iteration” • Example: • EF'=¹Y . 'Ç}Y … ; x

  33. Intuition for greatest fixpoints • x2«ºY .¿(Y)¬ • “Invariant” • Example: • EG'=ºY.'Æ}Y S= … = x x x x x

  34. ¹-Calculus aerobic (I) • ¹Y.qÇ(pƤY) = ? A[p U q] • ºY.qÇ(pƤY) = ? A[p W q] q p p … Y0 Y1 Y2

  35. ¹-Calculus aerobic (II) • ¹Y.ºZ.(pƤY)Ç(:pƤZ) = ? • Can pass through Y a finite number of times • Each time p holds • Can pass through Z infinitely • Each time p doesn’t hold ) “p is true only finitely often on all paths”

  36. ¹-Calculus aerobic (III) • ¹Y.ºZ.(pƤY)Ç(:pƤZ) = ? • Inner computation 1: Y0=;, Z00=S • Z!0 = ºZ. :p Æ ¤Z=AG:p Notation: Yi : ith estimate for Y Zij : ith estimate for Z, using the jth estimate for Y ! denotes the last iteration p S :p AG:p p p :p :p :p :p …

  37. ¹-Calculus aerobic (IV) • ¹Y.ºZ.(pƤY)Ç(:pƤZ) = ? • Outer iteration 1: • Y1 = (pƤY 0)Ç(:pƤZ!0) AG:p AG:p :p :p :p :p …

  38. AG:p :p :p :p :p … AG:p p :p :p :p … AG:p :p :p p :p … ¹-Calculus aerobic (V) • ¹Y.ºZ.(pƤY)Ç(:pƤZ) = ? • Inner computation 2: • Z!1 = ºZ.(pƤY1)Ç(:pƤZ) A[:pW( pƤY1 )] : p p AG:p

  39. AG:p :p :p :p :p … AG:p p :p :p :p … AG:p :p :p p :p … ¹-Calculus aerobic (VI) • ¹Y.ºZ.(pƤY)Ç(:pƤZ) = ? • Outer iteration 2: • Y2 = (pƤY1)Ç(:pƤZ! 2) :p p AG:p p AG:p Y1 Z! 2

  40. ¹-Calculus aerobic (VI) • ¹Y.ºZ.(pƤY)Ç(:pƤZ) = ? • Every inner computation: A[:pW( pƤYn )] • Add a “layer” of :p (with infinite behaviors) • Every outer iteration: (pƤYn)Ç(:pƤZm) • Add a single p

  41. ¹-Calculus aerobic (VII) • ¹Y.ºZ.(pƤY)Ç(:pƤZ) = ? • p can appear a finite number of times finite no. AG:p p p :p :p p :p :p p p :p …

  42. Agenda • Review • Some fixpoint theory • Syntax and semantics of ¹-Calculus • Examples Symbolic Model Checking • Applications 

  43. Symbolic Model Checking eval(f, e) f states that satisfy f M, e

  44. Model Checking Algorithm (I) • if f=p : return {s|p2L(s)} • if f=Q: return e(Q) • if f = g1Æg2: return eval(g1,e)Åeval(g2 , e ) • if f = g1Çg2: return eval(g1,e)[eval(g2 , e )

  45. Model Checking Algorithm (II) • if f=} g : return {s|9t[R(s,t)Æt2eval(g,e)] } • if f=¤g: return {s|8t[R(s,t)!eval(g,e)(t)] }

  46. Model Checking Algorithm (III) • if f=¹Y.g(Y): Qnew = ; repeat Qold = Qnew Qnew = eval( g,e[YÃQnew]) until Qnew = Qold return Qnew

  47. Model Checking Algorithm (III) • if f=ºY.g(Y): Qnew = S repeat Qold = Qnew Qnew = eval( g,e[YÃQnew]) until Qnew = Qold return Qnew

  48. Model Checking Complexity (I) if f=p : return {s|p2L(s)} if f=Q: return e(Q) if f = g1Æg2: return eval(g1,e)Åeval(g2 , e ) if f = g1Çg2: return eval(g1,e)[eval(g2 , e ) if f=} g : return {s|9t[R(s,t)Æt2eval(g,e)] } if f=¤g: return {s|8t[R(s,t)!eval(g,e)(t)] } O( |M| )

  49. Model Checking Complexity (II) • if f=¹Y.g(Y): Qnew = ; repeat Qold = Qnew Qnew = eval( g,e[YÃQnew]) until Qnew = Qold return Qnew O( |S| ) Repeat entire computation of eval(g) Overall complexity: nesting depth O( |M| ¢ |f| ¢ |S|k)

  50. Improved Model Checking (I) • Example: ¹Y.g(Y,¹Z.h(Y, Z)) ¹Y ¹Z ; ; Before: Now: Y1 =g(;,Z! 0) = = Z! 0= ¹Z.h(;, Z) |S| iterations |S| iterations = Z! 1= ¹Z.h(Y1, Z) Y2 =g(Y1,Z!1) = |S| iterations O(|S|2))O(|S| + |S|)

More Related