Linear-Time Model Checking: Automata Theory in Practice

Transcription

1 Linear-Time Model Checking: Automata Theory in Practice (Extended Abstract of an Invited Talk) Moshe Y. Vardi Rice University, Department of Computer Science, Houston, TX , U.S.A. Abstract. In automata-theoretic model checking we compose the design under verification with a Büchi automaton that accepts traces violating the specification. We then use graph algorithms to search for a counterexample trace. The basic theory of this approach was worked out in the 1980s, and the basic algorithms were developed during the 1990s. Both explicit and symbolic implementations, such as SPIN and and SMV, are widely used. It turns out, however, that there are still many gaps in our understanding of the algorithmic issues involved in automata-theoretic model checking. This paper covers the fundamentals of automata-theoretic model checking. The conference talk also reviews the reduction of the theory to practice and outlines areas that require further research. Keywords: Büchi automata, model checking, linear-temporal logic. 1 Introduction Formal verification is a process in which mathematical techniques are used to guarantee the correctness of a design with respect to some specified behavior. Automated formal-verification tools, such as COSPAN [15], SPIN [16] and SMV [7,20], based on model-checking technology [8,22], have enjoyed a substantial and growing use over the last few years, showing an ability to discover subtle flaws that result from extremely improbable events [9]. While until recently these tools were viewed as of academic interest only, they are now routinely used in industrial applications, resulting in decreased time to market and increased product integrity [10,11,18]. It is fair to say that automated verification is one of the most successful applications of automated reasoning in computer science. As model-checking technology matured, the demand for specification language of increased expressiveness increased interest in linear-time formalisms [2]. The automata-theoretic approach offers a uniform algorithmic framework for model checking linear-time properties [17,23,26]. It turns out, however, that Supported in part by NSF grants CCR , CCR , CCR , and ANI , by BSF grant , and by a grant from the Intel Corporation. Jan Holub and Jan Žd árek (Eds.): CIAA 2007, LNCS 4783, pp. 5 10, c Springer-Verlag Berlin Heidelberg 2007

2 6 M.Y. Vardi there are still many gaps in our understanding of the algorithmic issues involved in automata-theoretic model checking [25]. This paper covers the fundamental theory of automata-theoretic model checking. The conference talk also reviews the reduction of the theory to practice and outlines areas that require further research. 2 Basic Theory The first step in formal verification is to come up with a formal specification of the design, consisting of a description of the desired behavior. One of the more widely used specification languages for designs is temporal logic [21]. In linear temporal logics, time is treated as if each moment in time has a unique possible future. Thus, linear temporal formulas are interpreted over linear sequences, and we regard them as describing the behavior of a single computation of a system. (An alternative approach is to use branching time. For a discussion of linear vs. branching time, see [24].) In the linear temporal logic LTL, formulas are constructed from a set Prop of atomic propositions using the usual Boolean connectives as well as the unary temporal connectives X ( next ), F ( eventually ), G ( always ), and the binary temporal connective U ( until ). For example, the LTL formula G(request F grant), which refers to the atomic propositions request and grant, istrueina computation precisely when every state in the computation in which request holds is followed by some state in the future in which grant holds. The LTL formula G(request (request U grant)) is true in a computation precisely if, whenever request holds in a state of the computation, it holds until a state in which grant holds is reached. In LTL model checking we assume that the specification is given in terms of properties expressed by LTL formulas. LTL is interpreted over computations, which can be viewed as infinite sequences of truth assignments to the atomic propositions; i.e., a computation is a function π : IN 2 Prop that assigns truth values to the elements of Prop at each time instant (natural number). For a computation π and a point i IN, the notation π, i = ϕ indicates that a formula ϕ holds at the point i of the computation π. Inparticular,π, i = Xϕ if π, i +1 = ϕ, andπ, i = ϕuψ if for some j i, wehaveπ, j = ψ and for all k, i k<j,wehaveπ, k = ϕ. The connectives F and G can be defined in terms of the connective U: Fϕ is defined as true Uϕ,andGϕ is defined as F ϕ. Wesaythatπ satisfies aformulaϕ, denoted π = ϕ, iffπ, 0 = ϕ. We denote by models(ϕ) the set of computations satisfying ϕ. Designs can be described using a variety of formalisms. Regardless of the formalism used, a finite-state design can be abstractly viewed as a labeled transition system, i.e., as a structure of the form M =(W, W 0,R,V), where W is the finite set of states that the system can be in, W 0 W is the set of initial states of the system, R W 2 is a transition relation that indicates the allowable state transitions of the system, and V : W 2 Prop assigns truth values to the atomic propositions in each state of the system. (A labeled transition system is

3 Linear-Time Model Checking: Automata Theory in Practice 7 essentially a Kripke structure.) A path in M that starts at u is a possible infinite behavior of the system starting at u, i.e., it is an infinite sequence u 0,u 1,... of states in W such that u 0 = u, and(u i,u i+1 ) R for all i 0. The sequence V (u 0 ),V(u 1 ),... is a computation of M that starts at u. It is the sequence of truth assignments visited by the path, and can be viewed as a function from IN to 2 Prop.Thelanguage of M, denoted L(M), consists of all computations of M that start at a state in W 0.NotethatL(M) can be viewed as a language of infinite words over the alphabet 2 Prop. The language L(M) can be viewed as an abstract description of the system M, describing all possible traces. We say that M satisfies an LTL formula ϕ if all computations in L(M) satisfyϕ, that is, if L(M) models(ϕ). When M satisfies ϕ we also say that M is a model of ϕ, which explains why the technique is known as model checking [9]. One of the major approaches to automated verification is the automatatheoretic approach, which underlies model checkers that can handle linear-time specifications (for a precursor, see [19]). The key idea underlying the automatatheoretic approach is that, given an LTL formula ϕ, it is possible to construct a finite-state automaton A ϕ on infinite words that accepts precisely all computations that satisfy ϕ. The type of finite automata on infinite words we consider is the one defined by Büchi [4]. A Büchi automaton is a tuple A =(Σ,S,S 0,ρ,F), where Σ is a finite alphabet, S is a finite set of states, S 0 S is a set of initial states, ρ : S Σ 2 S is a nondeterministic transition function, and F S is a set of accepting states. A run of A over an infinite word w = a 1 a 2,isa sequence s 0 s 1,wheres 0 S 0 and s i ρ(s i 1,a i ) for all i 1. A run s 0,s 1,... is accepting if there is some accepting state that repeats infinitely often, i.e., for some s F there are infinitely many i s such that s i = s. The infinite word w is accepted by A if there is an accepting run of A over w. Thelanguage of infinite words accepted by A is denoted L(A). The following fact establishes the correspondence between LTL and Büchi automata [27] (for a tutorial introduction to this correspondence, see [23]): Theorem 1. Given an LTL formula ϕ, onecanbuildabüchi automaton A ϕ = (Σ,S,S 0,ρ,F),whereΣ =2 Prop and S 2 O( ϕ ), such that L(A ϕ )=models(ϕ). This correspondence reduces the verification problem to an automata-theoretic problem as follows [26]. Suppose that we are given a system M and an LTL formula ϕ. We check whether L(M) models(ϕ) as follows: (1) construct the automaton A ϕ that corresponds to the negation of the formula ϕ (this automaton is called the complementary automaton), (2) take the cross product of the system M and the automaton A ϕ to obtain an automaton A M,ϕ, such that L(A M,ϕ )=L(M) L(A ϕ ), and (3) check whether the language L(A M,ϕ ) is empty, i.e., A M,ϕ accepts no input. Theorem 2. Let M be a labeled transition system and ϕ be an LTL formula. Then M satisfies ϕ iff L(A M,ϕ )=. If L(A M,ϕ ) is empty, then the design is correct. Otherwise, the design is incorrect and the word accepted by L(A M,ϕ ) is an incorrect computation.

4 8 M.Y. Vardi The emptiness problem for an automaton is to decide, given an automaton A, whetherl(a) =, i.e., if the automaton accepts no word. Algorithms for emptiness are based on testing fair reachability in graphs: an automaton is nonempty if starting from some initial state we can reach an accepting state from where there is a cycle back to itself [6]. An algorithm for nonemptiness is the following: (i) decompose the transition graph of the automaton into maximal strongly connected components (msccs) (linear cost depth-first search [12]); (ii) verify that one of the msccs intersects with F (linear cost). More sophisticated Büchi nonemptiness algorithms have been studied, e.g., [13,14]. When the automaton is nonempty, nonemptiness algorithms return a witness in the shape of a lasso : an initial finite prefix followed by a finite cycle. (If the accepting states are sink states, then the finite cycle following the initial prefix can be ignored.) Thus, once the automaton A ϕ is constructed, the verification task is reduced to automata-theoretic problems, namely, intersecting automata and testing emptiness of automata, which have highly efficient solutions [23]. Furthermore, using data structures that enable compact representation of very large state spaces makes it possible to verify designs of significant complexity [3,5]. The linear-time framework is not limited to using LTL as a specification language. ForSpec and PSL are recent extensions of LTL, designed to address the need of the semiconductor industry [1,2]. There are also those who prefer to use automata on infinite words as a specification formalism [27]; in fact, this is the approach of COSPAN [15,17]. In this approach, we are given a design represented as a finite transition system M and a property represented by a Büchi (or a related variant) automaton P. The design is correct if all computations in L(M) are accepted by P, i.e., L(M) L(P ). This approach is called the languagecontainment approach. To verify M with respect to P, we: (1) construct the automaton P c that complements P, (2) take the product of the system M and the automaton P c to obtain an automaton A M,P, and (3) check that the automaton A M,P is nonempty. As before, the design is correct iff A M,P is empty. Thus, the verification task is again reduced to automata-theoretic problems, namely complementing and intersecting automata and testing emptiness of automata. References 1. Albin, K., et al.: Property Specification Language Reference Manual. Technical Report Version 1.1, Accellera (2004) 2. Armoni, R., Fix, L., Flaisher, A., Gerth, R., Ginsburg, B., Kanza, T., Landver, A., Mador-Haim, S., Singerman, E., Tiemeyer, A., Vardi, M.Y., Zbar, Y.: The ForSpec temporal logic: A new temporal property-specification logic. In: Katoen, J.-P., Stevens, P. (eds.) ETAPS 2002 and TACAS LNCS, vol. 2280, pp Springer, Heidelberg (2002) 3. Biere, A., Cimatti, A., Clarke, E.M., Zhu, Y.: Symbolic model checking without BDDs. In: Cleaveland, W.R. (ed.) ETAPS 1999 and TACAS LNCS, vol. 1579, Springer, Heidelberg (1999) 4. Büchi, J.R.: On a decision method in restricted second order arithmetic. In: Proc. Int. Congress on Logic, Method, and Philosophy of Science. 1960, pp Stanford University Press (1962)

5 Linear-Time Model Checking: Automata Theory in Practice 9 5. Burch, J.R., Clarke, E.M., McMillan, K.L., Dill, D.L., Hwang, L.J.: Symbolic model checking: states and beyond. Information and Computation 98(2), (1992) 6. Choueka, Y.: Theories of automata on ω-tapes: A simplified approach. Journal of Computer and Systems Science 8, (1974) 7. Cimatti, A., Clarke, E.M., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., Tacchella, A.: Nusmv 2: An opensource tool for symbolic model checking. In: Brinksma, E., Larsen, K.G. (eds.) CAV LNCS, vol. 2404, pp Springer, Heidelberg (2002) 8. Clarke, E.M., Emerson, E.A., Sistla, A.P.: Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languagues and Systems 8(2), (1986) 9. Clarke, E.M., Grumberg, O., Peled, D.: Model Checking. MIT Press, Cambridge (1999) 10. Clarke, E.M., Kurshan, R.P.: Computer aided verification. IEEE Spectrum 33, (1986) 11. Clarke, E.M., Wing, J.M.: Formal methods: State of the art and future directions. ACM Computing Surveys 28, (1996) 12. Cormen, T.H., Leiserson, C.E., Rivest, R.L.: Introduction to Algorithms. MIT Press and McGraw-Hill (1990) 13. Courcoubetis, C., Vardi, M.Y., Wolper, P., Yannakakis, M.: Memory efficient algorithms for the verification of temporal properties. Formal Methods in System Design 1, (1992) 14. Emerson, E.A., Lei, C.-L.: Efficient model checking in fragments of the propositional μ-calculus. In: Proc. 1st IEEE Symp. on Logic in Computer Science, pp IEEE Computer Society Press, Los Alamitos (1986) 15. Hardin, R.H., Har el, Z., Kurshan, R.P.: COSPAN. In: Alur, R., Henzinger, T.A. (eds.) CAV LNCS, vol. 1102, pp Springer, Heidelberg (1996) 16. Holzmann, G.J.: The model checker SPIN. IEEE Transactions on Software Engineering 23(5), (1997) 17. Kurshan, R.P.: Computer Aided Verification of Coordinating Processes. Princeton Univ. Press, Princeton, NJ (1994) 18. Kurshan, R.P.: Formal verification in a commercial setting. In: Proc. 34st Design Automation Conf., vol. 34, pp (1997) 19. Lichtenstein, O., Pnueli, A.: Checking that finite state concurrent programs satisfy their linear specification. In: Proc. 12th ACM Symp. on Principles of Programming Languages, pp ACM Press, New York (1985) 20. McMillan, K.L.: Symbolic Model Checking. Kluwer Academic Publishers, Dordrecht (1993) 21. Pnueli, A.: The temporal logic of programs. In: Proc. 18th IEEE Symp. on Foundations of Computer Science, pp IEEE Computer Society Press, Los Alamitos (1977) 22. Queille, J.P., Sifakis, J.: Specification and verification of concurrent systems in Cesar. In: Dezani-Ciancaglini, M., Montanari, U. (eds.) International Symposium on Programming. LNCS, vol. 137, pp Springer, Heidelberg (1982) 23. Vardi, M.Y.: An automata-theoretic approach to linear temporal logic. In: Moller, F., Birtwistle, G. (eds.) Logics for Concurrency. LNCS, vol. 1043, pp Springer, Heidelberg (1996) 24. Vardi, M.Y.: Branching vs. linear time: Final showdown. In: Margaria, T., Yi, W. (eds.) ETAPS 2001 and TACAS LNCS, vol. 2031, pp Springer, Heidelberg (2001)

6 10 M.Y. Vardi 25. Vardi, M.Y.: Automata-theoretic model checking revisited. In: Cook, B., Podelski, A. (eds.) VMCAI LNCS, vol. 4349, pp Springer, Heidelberg (2007) 26. Vardi, M.Y., Wolper, P.: An automata-theoretic approach to automatic program verification. In: Proc. 1st IEEE Symp. on Logic in Computer Science, pp IEEE Computer Society Press, Los Alamitos (1986) 27. Vardi, M.Y., Wolper, P.: Reasoning about infinite computations. Information and Computation 115(1), 1 37 (1994)