1 parallel model checking game for ctl lecture 6 – 14.5.02 lecturer: orna grumberg
TRANSCRIPT
1
Parallel Model Checking Game for CTL
Lecture 6 – 14.5.02
Lecturer: Orna Grumberg
2
Based on:
• Parallel Model Checking for the Alternation Free -Calculus, by Benedict Bollig, Martin Leucker and Michel Weber Appeared in the conference: TACAS’01
• A book on:Modal and Temporal Properties of processes,by Colin Stirling
3
Intuitive explanation
• The model checking algorithm is based on a two-person game: - one player, loise, tries to verify the formula on the model- the other player, belard, tries to falsify it
• We first handle only formulas with AX, EX, , and
4
• The players traverse the model starting from a state s.
• If the formula is 12 or 12 and the player is on state t then the player should decide whether he/she wants to falsify/verify 1 or 2 on t.
• If the formula is EX or AX then the player should choose the successor of t from which the play will proceed with .
belard plays on AX and 12 .loise plays on EX and 12 .
5
Example
6
Complexity consideration
• NC is the class of problems that can be solved in polylogarithmic time with polynomial many processes.
• NC is contained in P.• If we believe that NC P then P-complete
problems cannot be in NC.
P-complete problems are inherently sequential.
7
Complexity consideration (cont.)
Lemma: The program complexity of alternation free -Calculus is P-hard .
Theoretically we cannot expect a good parallel algorithm for alternation free -Calculus.
In practice, the algorithm suggested in the paper has been implemented and showed good results on many practical problems.
Open question: Does the same result hold for CTL?
8
Remark:
DFS is also P-complete and therefore (theoretically) good on-the-fly parallel algorithms should not be expected.
9
CTL in negation normal form• true, false• p, p, where p AP1 2, 1 2
• EX , AX , A(1 U 2), E(1 U 2),A(1 V 2), E(1 V 2)
A(1 V 2) E( 1 U 2)
E(1 V 2) A(1 U 2)
10
M, s |= E(1 V 2) iff there is a path s0s1…
with s0=s such that for all j0, if for every ij
M,si | 1 then M,sj |= 2.
• EG E(false V )
• EF E(true U )
11
Model checking game
to check M,s |= A play G for (s,) is a sequence
C0 p0 C1p1 C2 p2 … of configuration
where C0 = (s,) and for all i, Ci SSub()
and pi denotes the player that took the step
(loise, the Verifier or belard, the Refuter)
G(s, ) is the set of all possible plays.
12
• The players do not move alternately.
• The player is determined by the formulain the configuration
• The player chooses the next move
• Configurations with no choice can be played by either
13
Defining the next move
• If Ci=(s,true), Ci=(s,false), Ci=(s,a), or Ci=(s, a) for a AP then the play terminates.
For terminating configurations:
• Ci is an -configuration if Ci=(s,true) or
if Ci=(s,a) and aL(s) orif Ci=(s, a) and aL(s).
• Ci is an -configuration otherwise.
14
Defining the next move (cont.)
• If Ci=(s, 12) then Ci+1=(s, 1) or Ci+1=(s, 1)
• If Ci=(s, AX) then Ci+1=(t, ) for some t s.t.(s,t)R
• If Ci=(s, 12) then Ci+1=(s, 1) or Ci+1=(s, 1)
• If Ci=(s, EX) then Ci+1=(t, ) for some t s.t.(s,t)R
(s, 12), (s, AX) are -configurations
(s, 12), (s, EX) are -configurations
15
Defining the next move (cont.)
• If Ci=(s, E(1U2)) then Ci+1= 2(1EXE(1U2))
• If Ci=(s, A(1U2)) then Ci+1= 2(1AXA(1U2))
• If Ci=(s, E(1V2)) then Ci+1= 2 (1 EXE(1V2))
• If Ci=(s, A(1V2)) then Ci+1= 2 (1 AXA(1V2))
16
belard (the Refuter) wins a play if
• The play terminates with (s,a) and aL(s)
• The play terminates with (s,a) and a L(s)• The play sequence is infinite and a formula
of the form E(1U2) or A(1U2) appears in infinitely many configurations
17
loise (the Verifier) wins a play if
• The play terminates with (s,a) and a L(s)
• The play terminates with (s,a) and a L(s)• The play sequence is infinite and a formula
of the form E(1V2) or A(1V2) appears in infinitely many configurations
18
Example
= AX ( b EX a), M=…
• In some of the plays loise wins, in some other plays belard wins
belard has a winning strategy: when it is his turn he can choose moves that guarantee his winning, no matter what loise does.
19
Judgements and witnesses
• A /-configuration C is a /-judgment if no move is possible from it.
• C=(s, ) is an -witness if is of the form E(1V2) or A(1V2) .
• C=(s, ) is an -witness if is of the form E(1U2) or A(1U2) .
20
A strategy
• A strategy for a player p is a set of rules telling the player how to move in a given configuration
• A winning strategy for p is a strategy that guarantees the winning of p whenever p obeys its rules.
21
Winning strategy and model checking
• If M, s |= then loise has a winning strategy starting at (s, ).
• If M, s | then belard has a winning strategy starting at (s, ).
Since a formula is either true or false at s then the model checking game is determined, i.e., for every game either loise or belard has a winning strategy.
22
Game graph
The game graph for M, s and captures all possible plays for M, s and
• Nodes: all possible configurations• Edges: all possible moves of the players
• It is an and-or graph where or-nodes (denoted ) are the -configurations and the and-nodes (denoted ) are the -configurations
• A play corresponds to a path in the graph and vice versa
23
Theorem: Let (Q, E) be the game graph for M, s and . Then there are Q1,…,Qm that satisfy:
• Q = i=1,…m Qi and i,j, ij, QiQj=
• The subgraph induced by Qi is exactly one of:(a) a non-trivial maximal strongly connected component (type I)..(b) a singleton which is a judgment (type II).(c) a maximal directed acyclic graph with no judgments (type III).
24
• Every Qi of type I either contains at least one -witness and no -witness or contains at least one -witness and no -witness.
• There is a partial order on the Qi’s such that for every qQi and q’Qj with an edge from q to q’, Qj Qi.Thus, moves from a configuration in Qi leads to configurations in either the same Qi or a lower Qj.
25
Proposition:
Every strongly connected component of a game graph with more than one element contains at least one witness.
26
Sequential algorithm• Decides which player has a winning
strategy
• Labels configuration in the game graph by- green, if loise has a winning strategy from this configuration- red, if belard has.
27
Sequential algorithm (cont.)
• It is based on the partial order on the Qi’s
• It is also based on the fact that every infinite play gets trapped within a single Qi (that either contains -witness or -witness).
28
The algorithm
• Extend the partial order on Qi to a total order.
• For the minimal Qi:if it is an -judgment of type II or it is of type I and contains an -witness, color all nodes with green. if it is an -judgment of type II or it is of type I and contains an -witness, color all nodes with red.
29
The algorithm (cont.)
Once some configuration is colored, the coloring proceeds:
• An -node is colored red if one of its successors is red; it is colored green if all its successors are green.
• An -node is colored green if one of its successors is green; it is colored red if all its successors are red.
30
The algorithm (cont.)
• Let Qj be non-colored, while all QiQj are already colored. Then Qj must be of type I.All its nodes will be colored green if it contains a -witness and red otherwise.
31
Example 1: AX(b Exa)
Example 2: A(a U b)