Checking Extended CTL Properties Using Guarded

Quotient Structure

Xiaodong Wangadvised by: Professor Sistla

Outline

● Part I: Symmetry based method

● Part II: CCTL logic

● Part III: Input language

● Part IV: Model checking algorithm

Part I: Symmetry Based Method

● Part I: Symmetry based method– Overview– QS Method– AQS Method– GQS Method

● Part II: CCTL ● Part II: Input language● Part IV: Model checking algorithm● Conclusion

Model Checking Overivew

modelmodel

buildingmodel

checkingsystemdescription

correctnessspecification

yes,system satisfythe correctness spec

no, counter-example(s):

State Explosion Problem● State explosion problem

– Exponential number of states in the state space

– Even infinite state space

● Generally undecidable

● Some model checking methods are optimized for specific types of systems

Symmetric System

client2

client1

client0

server1

server0

Client

Server

To model checking such systems, we employ symmetry in the system

each module consistsof identical processes

Symmetry Based Methods Overview

QuotientStructure model

checking

systemdescription

property(Temporal Logic formula)

Yes,system satisfythe property

No, output path(s):

symmetries

equivalencerelation

model building

on-the-fly

Example: Mutual Exclusion Protocol with 2 processes

N1

N2

N1

T2T

1 N

2

N1

C2

T1

T2

C1

N2

T1

C2

C1

T2

Non-critical

(N)

Critical

(C)

Trying

(T)

Process 1Non-critical

(N)

Critical

(C)

Trying

(T)

Process 2

synchronized

state graph

Process Symmetry

N1

N2

N1

T2T

1 N

2

N1

C2

T1

T2

C1

N2

T1

C2

C1

T2

N2

N1

N2

T1T

2 N

1

N2

C1

T2

T1

C2

N1

T2

C1

C2

T1

N2

N1

N2

T1T

2 N

1

N2

C1

T2

T1

C2

N1

T2

C1

C2

T1

flip: 1 2

Symmetry Group● Process symmetries of the system form a

group:

● Process symmetries of some systems may be obtained from system description directly

{flip, id}

s1 s2 c3c2c1

s1 s2 c3c2c1

Server client

permutations:

Equivalence Relation over States

N1

N2

N1

T2T

1 N

2

N1

C2

T1

T2

C1

N2

T1

C2

C1

T2

flip( ) = T1

N2 T

2 N

1

Quotient Structure

N1

N2

N1

T2

T1

T2

C1

N2

C1

T2

Quotient Structure consisting of representative states

QS Method Overview [1]

QuotientStructure

(QS) model checking: explore the product

automata

symmetricsystem

description

yes,system satisfiesthe LTL formula

no, output a trace:

symmetrygroup

equivalencerelation

model building LTL formula

automatasymmetricproperty

Symmetry Group for QS Method

● System symmetries

● formula symmetries for

● Symmetry groupflip id

system symmetries formula symmetries

symmetry group

{flip, id} G (!(C

1 ^ C

2))

{flip, id}

larger symmetry group for symmetric system and symmetric property

Quotient Structure

N1

N2

T1

N2

T1

T2

C1

N2

C1

T2

symmetric system: mutual exclusion protocolsymmetric property: G( !(C

1 ^ C

2) )

AQS Method Overview [2,3,4]

AnnotatedQuotientStructure

(AQS)symmetricsystem

Yes,system satisfiesthe formula

No, output a trace:

system symmetry

equivalencerelation

model building LTL

automata

symmetric/asymmetricproperty

model checking:partially unwind AQS (indirectly by permutingprocess ids in formula)on-the-fly

Symmetry Group for AQS Method

● System symmetries

● Formula symmetry for

● Symmetry group

system symmetries

flip id

symmetry group

formula symmetry

EF (C2)

{flip, id}

{id}

Annotated Quotient Structure

symmetric system : mutual exclusion protocol N1

N2

T1

N2

T1

T2C

1 N

2

C1

T2

flip

id id

flipflip

idid

idid

does not depend on the formula

Directly Unwind AQS N

1 N

2

N2

T1

T2

T1

T2

C1

N2

T1

T2

T1

flip

id

flip

flip

id

T2

C1

id

N1

N2

N1

T2

T1

T2

T2

C1

T1

N2

T1

T2

T1

C2

path in AQS actual path

Indirectly Unwind AQS

C2

C1

C1

C2

C1

C1

C1

atomic proposition C2

(flip*id*flip)([T2,C

1])

satisfies C2

=[T

2,C

1] satisfies

C(flip*id*flip)-1(2)

N1

N2

N2

T1

T2

T1

T2

C1

N2

T1

T2

T1

flip

id

flip

flip

id

T2

C1

id

path in AQS

GQS Method Overview [5]

GuardedQuotientStructure

(GQS)

symmetric/asymmetric system

Yes,system satisfythe property

No, output a trace:

equivalencerelation

model buildingLTL

automata

symmetric/asymmetricproperty

model checking:partially unwindGQS (check guards, permute process idsin formula and guards)

symmetricsystem

add edges

symmetries

AQS

add guards

Partial Symmetric / Asymmetric Systems

Non-critical

(N)

Critical

(C)

Trying

(T)

Process 1Non-critical

(N)

Critical

(C)

Trying

(T)

Process 2

when process 1 and process 2 both in “T”,process 1 has higherpriority to enter “C”

a partial symmetric system

from Partially Symmetric to Symmetric

N1

N2

N1

T2T

1 N

2

N1

C2

T1

T2

C1

N2

T1

C2

C1

T2

N1

N2

N1

T2T

1 N

2

N1

C2

T1

T2

C1

N2

T1

C2

C1

T2

add edges to makeit more symmetric

partially symmetric system symmetric system

This may be done directly with system description,i.e. by ignoring the priorities

Guarded Quotient Structure

N1

N2

T1

N2

T1

T2

C1

N2

C1

T2

flip

id id

flipflipid

id

idid

N1

N2

T1

N2

T1

T2

C1

N2

C1

T2

flip

id idflip

flip, T1^C

1'

id,T1^C

1'

id

idid

AQS

add edge conditions

GQS

Infeasible Path N

1 N

2

N2

T1

T2

T1

T2

C1

N2

T1

T2

T1

flip

id

flip,T1^C

1'

flip

id

T2

C1

id,T1^C

1'

N1

N2

N1

T2

T1

T2

T2

C1

T1

N2

T1

T2

T1

C2

path in GQS corresponding actual path is infeasible

Summary of the Three Symmetric Based Methods

● QS method– Primary safety properties– Symmetric systems and symmetric properties

● AQS method– Both safety and liveness properties– Symmetric systems

● GQS method– Both safety and liveness properties– Partial symmetric and asymmetric systems

Question ?

Part II : CCTL Logic

● Part I: Symmetry based method● Part II: CCTL

– CCTL syntax– CCTL semantics

● Part II: Input language● Part IV: Model checking algorithm● Conclusion

CCTL Syntax<formula> :: <atomic formula> | <count-term> <comp-operator> <count-term> <formula> ^ <formula> | ! <formula> | EX(<formula>) | E

fairX(<formula>) |

EG(<formula>) | Efair

G(<formula>) |

E(<formula> U <formula>) | E

fair(<formula> U <formula>)

<count-term> :: COUNT(i,M,<formula>) | <constant>

CCTL Syntax Cont.

● Fairness path quantifier: Efair

weak/strong process fairness

● COUNT term: COUNT(i, M, h(i))

– i: free process variable in h

– M: set of process ids i ranges over

– h(i): CCTL formula

– Example: COUNT(i, client, Ci)

N1

N2

N1

T2

T1

T2

T2

C1

N1

T2

T1

T2

T2

C1

......

an “unfair” path

COUNT Term's Semantics

N2

C1S:

COUNT(i, client, Ci)

S = 1

S

N1

N2

N1

T2T

1 N

2

N1

C2

T1

T2

C1

N2

T1

C2

C1

T2

COUNT(i, client, Ti ^ EX(C

i))

S = 2

Why Introduce the COUNT Term

COUNT(i, {1,2,3,4}, g(i)) = COUNT(i, {1,2,3,4}, h(i) )

f = (g(1)^!g(2)^!g(3)^!g(4) ^ h(1)^!h(2)^!h(3)^!h(4)) v(g(1)^!g(2)^!g(3)^!g(4) ^ !h(1)^h(2)^!h(3)^!h(4)) v....... contain 70 sub-formulas

● Uniformly express properties such as

● Efficient evaluate COUNT term

Express Other Temporal Opertor and Process Quantifier

● Other temporal operators:

● Process quantifiers:

AX(f) = ! EX (! f) AG(f) = ! EF ( ! f)

A(f1 U f

2) = ! (EG (! f

2) v E(! f

2 U ! f

1 ^ ! f

2)

Universal quantifier: COUNT(i, M, h(i)) = COUNT(i, M, True)

Existential quantifier: COUNT(i, M, h(i)) > 0

Question ?

Part III: Input Language

● Part I: Symmetry based method

● Part II: CCTL

● Part III: Input language

● Part IV: Model checking algorithm

● Conclusion

Structure of Input

CCTL formula

evaluation for the CCTL formula

initial values

transition templates...

transition templates...

module 1

module2

Concurrent program

processes are instantiatedfrom modules by instantiatingall the transition templatesin that module

Concurrent Program

● Program variable: reply[i,j]● Process variable: i, j● Transition template:

cl of controller {...lc[cl] == 0 & request[cl,k] == 1 & ALL(i: reply[i,k] == 0) reply[ck,k] = 1, buzy[cl] == 1, lc[cl] == 1 (Priority: 0-1;2-5)...}

● Priority specification (Priority: 0-1;2-5)● Allow multiple priority specifications in one

module

CCTL Formula and Evaluation

● CCTL formula using only free process variables:

AG(lk[i] != 2 V lk[j] != 2)

● Evaluation of the free process variables in the formula:

i = 1, j = 2

Question ?

Part IV: Model Checking Algorithm

● Part I: Symmetry based method● Part II: CCTL ● Part II: Input language● Part IV: Model checking algorithm

– Overview– Employing GQS– Evaluate COUNT term– Model checking procedures– Implementation and Experiments

● Conclusion

Overview

● Assume GQS has been fully constructed

● Model Checking the CCTL formula employing GQS

– Indirectly unwind GQS

– Quantifier elimination

– Work inductively over the structure of the CCTL formula

Why the Algorithm is Efficient

● Quantifier eliminationonly check the formula with representitives of each equivalence classes

● Lazy evaluation: f1 ^ f

2

● Formula decomposition

● Sub-formula tracking

Indirectly Unwind GQS

N1

N2

N2

T1

T2

T1

T2

C1

N2

T1

T2

T1

flip1

id2

flip3,T

1^C

1'

flip4

id5

T2

C1

id6,T

1^C

1'

N1

N2

N1

T2

T1

T2

T2

C1

T1

N2

T1

T2

T1

C2

path in GQS actual path

i = j = T1^C

1'

1 2

2 1

2 1

1 2

2 1

2 1

T1^C

1'

T2^C

2'

T2^C

2'

T1^C

1'

T2^C

2'

T2^C

2'

inverse ofaccumulatedpermutation

id

Flip1-1

id2

-1*Flip1-1

flip3

-1*id2

-1*Flip1

-1

flip4-1*flip

3-1*id

2-1*Flip

1-1

id5

-1*flip4-1*flip

3-1*id

2-1*Flip

1-1

permutedevaluation

permutededgecondition

Naïve Method to Evaluate COUNT Term

To evaluate COUNT(i, {1,2,3,4,5,6}, h(i,j)) on S, f (j =3)

h(1,3) h(6,3)h(5,3)h(4,3)h(3,3)h(2,3)

COUNT(i, {1,2,3,4,5,6}, h(i,j)) = 3

may be quite inefficient for a large number of process ids

Evaluate COUNT Term Efficiently

1, 2 4, 5, 63

1, 2, 3, 4, 5, 6

1 43

h(1,3) h(3,3) h(4,3)

set of process idsi ranges over

devide the set of process ids intoequivalence class

choose representitive

check with representitive

COUNT(i, {1,2,3,4,5,6}, h(i,j)) = 3

S1 satisfy EG(C

1 ) S

1 satisfy EG(C

2 )

State Symmetry

● State symmetry of a state

● Property of state symmetry:

T1

T2

State symmetry = {flip, id}

T2

C1

State symmetry = {id}

S1S

2

formulas permuated from the same formula with state symmetries of a state have the same truth value on the state

flip(s1 ) = s

1

flip flip(S1 ) satisfy

flip(EG(C1 ))

Utilizing State Symmetry

1, 2, 3 4, 5, 6S's state symmetry:

1 2: h(1,3) => h(2,3) h(2,3) => h(1,3)

4 5: h(4,3) => h(5,3) h(5,3) => h(4,3)4 6: h(4,3) => h(6,3) h(6,3) => h(4,3)

1 3: h(1,3) => h(3,1) h(3,3) => h(1,1)

1, 2 3

1, 2, 3 4, 5, 6

4, 5, 6classes:

COUNT(i, {1,2,3,4,5,6}, h(i,j)) on S, f (j =3)

Equivalence Relation Over M

Let S be a state in GQS, Aut(S) be the set of state symmetries of S, f be the evaluation.

i ~ j if and only if there exists p in Aut(S) such that

for each v in dom(f), p(f(v)) = v and p(i) = j

Model Checking With Fairness

● S satisfies exist_fair_path means there exists a fair path from S

● Transform formula with fairness path quantifier: E

fairX(f) = EX(f ^ exist_fair_path)

Efair

(f1 U f2) = E(f1 U (f2 ^ exist_fair_path) E

fairG(f): can not be transformed with

exist_fair_path

Major Data Structures

● label: <formula,evaluation,edge_vector>– labels are associated with states in GQS

– <h,f,k> in S denotes that h is satisfied on S with evaluation f and edge vector k

● mark: <formula, evaluation,edge_vector>– marks are associated with states in GQS

– <h,f,k> in S denotes that we have checked h against S with evaluation f and edge vector k

Check Procedure

● Invoked on the initial state S0

● Controlling procedure: invoke other procedures:

check procedure labels states with formula when its truth value is determined in the states

Efair

GCheck(h,f,k,s)

EGCheck(h,f,k,s)

EUCheck(h,f,k,s)

check(h,f,k,s)

efpCheck(h,f,k,s)

h=E(f1Uf

2) h=EG(f) h=E

fairG(f) h=exit_fair_path

Other Procedures

● EUCheck: E(f1Uf

2)

● EGCheck: EG(f)● EfairGCheck: E

fairG(f)

● efpCheck: exist_fair_path● Associate a mark with state S when these

procedures are invoked with the parameters on the state for the first time

Implementation:Minimize Memory Consumption● May consume a lot of memory● Permuations: up to n! (n: # of processes):

only store inverse permuations● labels and marks: up to N * Cl

<h, f, k> <h, p>(f0,k

0)

f0:

evaluation in input, k0:processes ids in edge conditionof GQS

Implementation: Search of Lables and Marks

<h, p1>

<h, p2>

<h, p3>

hash(p(f0),p(k

0))

k1

k3

k2<h, p> k

Hash Table

compute the hash key hash(p(f

0),p(k

0))

efficiently

Experiments

● Cache Coherence Protocolmutual exclusive property: no two clients can hold the cache line exclusively at the same time

● Resource Controller Protocolmutual exclusive property: no two clients can hold the resource at the same time

Experimental Results

Protocol Client# quant_elim Mark# Time(s)10 Yes 208 0.0210 No 3780 1.620 Yes 448 0.1220 No * *

4 Yes 96712 5.7

4 No 115344 6.9

Resource ControllerProtocolCache

Coherence Protocol

“*” indicate stack overflow

Question ?

Conclusion

● The model checking algorithm is useful in checking complex properties

● Experiments show speed-up

● Need to combine with other methods

Selected Reference● [1] Emerson, E. A., Sistla, A. P., Symmetry and Model Checking

● [2] Emerson, E. A., Sistla, A. P., Utilizing Symmetry when Model Checking under Fairness Assumptions: An Automata-theoretic Approach.

● [3] Gyuris, V., Sistla, A. P., On-the-Fly Model Checking under Fairness that Exploits Symmetry

● [4] Sistla A. P., Gyuris V., Emerson E. A., SMC: A Symmetry based Model Checker for Verification of Safety and Liveness Properties

● [5] Sistla A. P., Godefroid P., Symmetry and Reduced Symmetry in Model Checking

Thank you!