1

Parallel Model Checking Game for CTL

Lecture 6 – 14.5.02

Lecturer: Orna Grumberg

2

Based on:

• Parallel Model Checking for the Alternation Free -Calculus, by Benedict Bollig, Martin Leucker and Michel Weber Appeared in the conference: TACAS’01

• A book on:Modal and Temporal Properties of processes,by Colin Stirling

3

Intuitive explanation

• The model checking algorithm is based on a two-person game: - one player, loise, tries to verify the formula on the model- the other player, belard, tries to falsify it

• We first handle only formulas with AX, EX, , and

4

• The players traverse the model starting from a state s.

• If the formula is 12 or 12 and the player is on state t then the player should decide whether he/she wants to falsify/verify 1 or 2 on t.

• If the formula is EX or AX then the player should choose the successor of t from which the play will proceed with .

belard plays on AX and 12 .loise plays on EX and 12 .

5

Example

6

Complexity consideration

• NC is the class of problems that can be solved in polylogarithmic time with polynomial many processes.

• NC is contained in P.• If we believe that NC P then P-complete

problems cannot be in NC.

P-complete problems are inherently sequential.

7

Complexity consideration (cont.)

Lemma: The program complexity of alternation free -Calculus is P-hard .

Theoretically we cannot expect a good parallel algorithm for alternation free -Calculus.

In practice, the algorithm suggested in the paper has been implemented and showed good results on many practical problems.

Open question: Does the same result hold for CTL?

8

Remark:

DFS is also P-complete and therefore (theoretically) good on-the-fly parallel algorithms should not be expected.

9

CTL in negation normal form• true, false• p, p, where p AP1 2, 1 2

• EX , AX , A(1 U 2), E(1 U 2),A(1 V 2), E(1 V 2)

A(1 V 2) E( 1 U 2)

E(1 V 2) A(1 U 2)

10

M, s |= E(1 V 2) iff there is a path s0s1…

with s0=s such that for all j0, if for every ij

M,si | 1 then M,sj |= 2.

• EG E(false V )

• EF E(true U )

11

Model checking game

to check M,s |= A play G for (s,) is a sequence

C0 p0 C1p1 C2 p2 … of configuration

where C0 = (s,) and for all i, Ci SSub()

and pi denotes the player that took the step

(loise, the Verifier or belard, the Refuter)

G(s, ) is the set of all possible plays.

12

• The players do not move alternately.

• The player is determined by the formulain the configuration

• The player chooses the next move

• Configurations with no choice can be played by either

13

Defining the next move

• If Ci=(s,true), Ci=(s,false), Ci=(s,a), or Ci=(s, a) for a AP then the play terminates.

For terminating configurations:

• Ci is an -configuration if Ci=(s,true) or

if Ci=(s,a) and aL(s) orif Ci=(s, a) and aL(s).

• Ci is an -configuration otherwise.

14

Defining the next move (cont.)

• If Ci=(s, 12) then Ci+1=(s, 1) or Ci+1=(s, 1)

• If Ci=(s, AX) then Ci+1=(t, ) for some t s.t.(s,t)R

• If Ci=(s, 12) then Ci+1=(s, 1) or Ci+1=(s, 1)

• If Ci=(s, EX) then Ci+1=(t, ) for some t s.t.(s,t)R

(s, 12), (s, AX) are -configurations

(s, 12), (s, EX) are -configurations

15

Defining the next move (cont.)

• If Ci=(s, E(1U2)) then Ci+1= 2(1EXE(1U2))

• If Ci=(s, A(1U2)) then Ci+1= 2(1AXA(1U2))

• If Ci=(s, E(1V2)) then Ci+1= 2 (1 EXE(1V2))

• If Ci=(s, A(1V2)) then Ci+1= 2 (1 AXA(1V2))

16

belard (the Refuter) wins a play if

• The play terminates with (s,a) and aL(s)

• The play terminates with (s,a) and a L(s)• The play sequence is infinite and a formula

of the form E(1U2) or A(1U2) appears in infinitely many configurations

17

loise (the Verifier) wins a play if

• The play terminates with (s,a) and a L(s)

• The play terminates with (s,a) and a L(s)• The play sequence is infinite and a formula

of the form E(1V2) or A(1V2) appears in infinitely many configurations

18

Example

= AX ( b EX a), M=…

• In some of the plays loise wins, in some other plays belard wins

belard has a winning strategy: when it is his turn he can choose moves that guarantee his winning, no matter what loise does.

19

Judgements and witnesses

• A /-configuration C is a /-judgment if no move is possible from it.

• C=(s, ) is an -witness if is of the form E(1V2) or A(1V2) .

• C=(s, ) is an -witness if is of the form E(1U2) or A(1U2) .

20

A strategy

• A strategy for a player p is a set of rules telling the player how to move in a given configuration

• A winning strategy for p is a strategy that guarantees the winning of p whenever p obeys its rules.

21

Winning strategy and model checking

• If M, s |= then loise has a winning strategy starting at (s, ).

• If M, s | then belard has a winning strategy starting at (s, ).

Since a formula is either true or false at s then the model checking game is determined, i.e., for every game either loise or belard has a winning strategy.

22

Game graph

The game graph for M, s and captures all possible plays for M, s and

• Nodes: all possible configurations• Edges: all possible moves of the players

• It is an and-or graph where or-nodes (denoted ) are the -configurations and the and-nodes (denoted ) are the -configurations

• A play corresponds to a path in the graph and vice versa

23

Theorem: Let (Q, E) be the game graph for M, s and . Then there are Q1,…,Qm that satisfy:

• Q = i=1,…m Qi and i,j, ij, QiQj=

• The subgraph induced by Qi is exactly one of:(a) a non-trivial maximal strongly connected component (type I)..(b) a singleton which is a judgment (type II).(c) a maximal directed acyclic graph with no judgments (type III).

24

• Every Qi of type I either contains at least one -witness and no -witness or contains at least one -witness and no -witness.

• There is a partial order on the Qi’s such that for every qQi and q’Qj with an edge from q to q’, Qj Qi.Thus, moves from a configuration in Qi leads to configurations in either the same Qi or a lower Qj.

25

Proposition:

Every strongly connected component of a game graph with more than one element contains at least one witness.

26

Sequential algorithm• Decides which player has a winning

strategy

• Labels configuration in the game graph by- green, if loise has a winning strategy from this configuration- red, if belard has.

27

Sequential algorithm (cont.)

• It is based on the partial order on the Qi’s

• It is also based on the fact that every infinite play gets trapped within a single Qi (that either contains -witness or -witness).

28

The algorithm

• Extend the partial order on Qi to a total order.

• For the minimal Qi:if it is an -judgment of type II or it is of type I and contains an -witness, color all nodes with green. if it is an -judgment of type II or it is of type I and contains an -witness, color all nodes with red.

29

The algorithm (cont.)

Once some configuration is colored, the coloring proceeds:

• An -node is colored red if one of its successors is red; it is colored green if all its successors are green.

• An -node is colored green if one of its successors is green; it is colored red if all its successors are red.

30

The algorithm (cont.)

• Let Qj be non-colored, while all QiQj are already colored. Then Qj must be of type I.All its nodes will be colored green if it contains a -witness and red otherwise.

31

Example 1: AX(b Exa)

Example 2: A(a U b)