Abstract. Different analysis problems for state-transition models can be uni- ... algorithm is linear in the size of the state space and in the cost of model checking,.
Finding State Solutions to Temporal Logic Queries Mihaela Gheorghiu, Arie Gurfinkel, and Marsha Chechik Department of Computer Science, University of Toronto, Toronto, ON M5S 3G4, Canada. Email: mg,arie,chechik � @cs.toronto.edu
Abstract. Different analysis problems for state-transition models can be uniformly treated as instances of temporal logic query-checking, where only states are sought as solutions to the queries. In this paper, we propose a symbolic querychecking algorithm that finds exactly the state solutions to any query. We show that our approach generalizes previous ad-hoc techniques, and this generality allows us to find new and interesting applications, such as finding stable states. Our algorithm is linear in the size of the state space and in the cost of model checking, and has been implemented on top of the model checker NuSMV, using the latter as a black box. We show the effectiveness of our approach by comparing it, on a gene network example, to the naive algorithm in which all possible state solutions are checked separately.
1 Introduction In the analysis of state-transition models, many problems reduce to questions of the type: “What are all the states that satisfy a property � ?”. Symbolic model checking can answer some of these questions, provided that the property � can be formulated in an appropriate temporal logic. For example, suppose the erroneous states of a program are characterized by the program counter (��� ) being at a line labeled ����� �� . Then the states that may lead to error can be discovered by model checking the property � �� ����������� ���� , formalized in the branching temporal logic CTL [10]. There are many interesting questions which are not readily expressed in temporal logic and require specialized algorithms. One example is finding the reachable states, which is often needed in a pre-analysis step to restrict further analysis only to those states. These states are typically found by computing a forward transitive closure of the transition relation [8]. Another example is the computation of “procedure summaries”. A procedure summary is a relation between states, representing the input/output behavior of a procedure. The summary answers the question of which inputs lead to which outputs as a result of executing the procedure. They are computed in the form of “summary edges” in the control-flow graphs of programs [21, 2]. Yet another example is the algorithm for finding dominators/postdominators in program analysis, proposed in [1]. A state � is a postdominator of a state � if all paths from � eventually reach � , and � is a dominator of � if all paths to � pass through � . Although these problems are similar, their solutions are quite different. Unifying them into a common framework allows reuse of specific techniques proposed for each problem, and opens a way for creating efficient implementations to other problems of
a similar kind. We see all these problems as instances of model exploration, where properties of a model are discovered, rather than checked. A common framework for model exploration has been proposed under the name of query checking [5]. � Query checking finds which formulas hold in a model. For instance, a query is intended to find all propositional formulas that hold in the reachable states. In general, a CTL query is a CTL formula with a missing propositional subformula, designated by a placeholder (“ ”). A solution to the query is any propositional formula that, when substituted for the placeholder, makes a CTL formula that holds in the model. The general query checking problem is: given a CTL query on a model, find all of its propositional solutions. For example, consider the model in Figure 1(a), where each state is labeled � by the atomic propositions that hold in it. Here, some solutions to are , representing the reachable state � , and , representing the set of states � � . � On the other hand, is not a solution: does not hold, since no states where is false are reachable. Query checking can be solved by repeatedly substituting each possible propositional formula for the placeholder, and returning those for which the resulting CTL formula holds. In the worst case, this approach is exponential in the size of the state space and linear in the cost of CTL model checking. Each of the analysis questions described above can be formulated as a query. Reach � able are solutions to . Procedure summaries can be obtained by solving � states �� ��� � �� � �� � , where ��� � �� � holds in the return statement of
the procedure. Dominators/postdominators are solutions to the query (i.e., what propositional formulas eventually hold on all paths). This insight gives us a uniform formulation of these problems and allows for easy creation of solutions to other, similar, problems. For example, a problem reported in genetics research [4, 12] called for finding stable states of a model, that are those � states which, once reached, are never left by the system. This is easily formulated as , meaning “what are the reachable states in which the system will remain forever?”. These analysis problems further require that solutions to their queries be states of the
model. For example, a query on the model in Figure 1(a) has solutions and . The first corresponds to the state � and is a state solution. The second corresponds to a set of states � � but neither � nor � is a solution by itself. When only state solutions are needed, we can formulate a restricted state query-checking problem by constraining the solutions to be single states, rather than arbitrary propositional formulas (that represent sets of states). A naive state query checking algorithm is to repeatedly substitute each state of the model for the placeholder, and return those for which the resulting CTL formula holds. This approach is linear in the size of the state space and in the cost of CTL model checking. While of significantly more efficient than general query checking, this approach is not “fully” symbolic, since it requires many runs of a model-checker. While several approaches have been proposed to solve general query checking, none are effective for solving the state query-checking problem. The original algorithm of Chan [5] was very efficient (same cost as CTL model checking), but was restricted to valid queries, i.e., queries whose solutions can be characterized by a single propositional formula. This is too restrictive for our purposes. For example, neither of the
� queries , , nor the stable states query are valid. Bruns and Gode-
�
��
�� �� �"! #�
�
����
� ������� ��
� �� � ����
��
$� �� "�"!
%&
%�'
%� � ��-� ��-�
�+�,
� %$
-�
��
%�'
2
�#�(���)�*
froid [3] generalized query checking to all CTL queries by proposing an automata-based CTL model checking algorithm over a lattice of sets of all possible solutions. This algorithm is exponential in the size of the state space. Gurfinkel and Chechik [15] have also provided a symbolic algorithm for general query checking. The algorithm is based on reducing query checking to multi-valued model checking and is implemented in a tool TLQSolver [7]. While empirically faster than the corresponding naive approach of substituting every propositional formula for the placeholder, this algorithm still has the same worst-case complexity as that in [3], and remains applicable only to modest-sized query-checking problems. An algorithm proposed by Hornus and Schnoebelen [17] finds solutions to any query, one by one, with increasing complexity: a first solution is found in time linear in the size of the state space, a second, in quadratic time, and so on. However, since the search for solutions is not controlled by their shape, finding all state solutions can still take exponential time. Other query-checking work is not directly applicable to our state query-checking problem, as it is exclusively concerned either with syntactic characterizations of queries, or with extensions, rather than restrictions, of query checking [23, 25]. In this paper, we provide a symbolic algorithm for solving the state query-checking problem, and describe an implementation using the state-of-the-art model-checker NuSMV [8]. The algorithm is formulated as model checking over a lattice of sets of states, but its implementation is done by modifying only the interface of NuSMV. Manipulation of the lattice sets is done directly by NuSMV. While the running time of this approach is the same as in the corresponding naive approach, we show empirical evidence that our implementation can perform better than the naive, using a case study from genetics [12].
&
%
The algorithms proposed for the program analysis problems described above are �
special cases of ours, that solve only and queries, whereas our algorithm solves any CTL query. We prove our algorithm correct by showing that it approximates general query checking, in the sense that it computes exactly those solutions, among all given by general query checking, that are states. We also generalize our results to an approximation framework that can potentially apply to other extensions of model checking, e.g., vacuity detection, and point to further applications of our technique, e.g., to querying XML documents. There is a also a very close connection between query-checking and sanity checks such as vacuity and coverage [19]. Both problems require checking several “mutants” of the property to obtain the final solution. In fact, the algorithm for solving state-queries presented in this paper bears many similarities to the coverage algorithms described in [19]. Since query-checking is a more general approach, we believe it can provide a uniform framework for studying all these problems. The rest of the paper is organized as follows. Section 2 provides the model checking background. Section 3 describes the general query-checking algorithm. We formally define the state query-checking problem and describe our implementation in Section 4. Section 5 presents the general approximation technique for model checking over lattices of sets. We present our case study in Section 6, and conclude in Section 7. 3
���
�
��� �
�
� �
(a)
��
�
� � � �� ����� �� for false � � � �� �� ����� ��, �� ��� ��� true ��� �� � , for ����� � � � �� �� ����� �"�� ! ��� ��� � � #%$�&' �� ����� � � #( )� �*� $+, � for � &� )� ��� � � #%,�&' �� ����� � � #( )� �*� ,+� � &� )� ��� � � -/.0#( �� �����21436587�9;:@� (b) � � �A.0#( �� �����2B436587�9;: � � � -DCE#( �� ����� � � FHGJI #K$L-M.NGJ )� ��� � � �OCE#( �� ����� � � FHGJI #K$L��.PGQ )� �*� � � -�� #"RS&' < �� ����� � � T;GUI &V,P�)#%$�-/.PG � )� ��� � � �W� #"RS&' < �� ����� � � T;GUI &V,P�)#%$���.PG � )� ��� �
�
Fig. 1. (a) A simple Kripke structure; (b) CTL semantics.
2 Background In this section, we review some notions of lattice theory, minterms, CTL model checking, and multi-valued model checking. Lattice theory. A finite lattice is a pair (X , Y ), where X is a finite set and Y is a partial order on X , such that every finite subset Z\[]X has a least upper bound (called join and written ^_Z ) and a greatest lower bound (called meet and written `_Z ). Since the lattice is finite, there exist a �b^�X and c �b`�X , that are the maximum and respectively minimum elements in the lattice. When the ordering Y is clear from the context, we simply refer to the lattice as X . A lattice if distributive if meet and join distribute over each other. In this paper, we work with lattices of propositional formulas. � For a set of atomic propositions d , let e d�� be the set of propositional formulas over � d . For example, e � � true false . This set forms a finite lattice ordered by implication (see Figure 2(a)). Since gf true, is under true in this lattice. Meet and join in this lattice correspond to logical operators and , respectively. A subset Zh[iX is called upward closed or an upset, if for any j lk�mnX , if k�mgZ and kNYoj , then jgmEZ . In that case, Z can be identified by the set p of its minimal � jKYtk � ), and we write Z �vuwp . For elements ( kgmqZ is minimal if rsjLm0Z � � � xf � shown in Figure 2(a), u �� example, for the lattice e true . The set is not an upset, whereas true is. For singletons, we write uyj � � for u j . We write z X � for the set of all upsets of X , i.e., {[|X iff u {m2z X � . � by z X � is closed under union � � and intersection, and therefore forms a lattice ordered � set inclusion. We call z X � *[ � the upset lattice of X . The upset lattice of e � is shown in Figure 2(b). An element } in a lattice X is join-irreducible if }�L ~ c and } cannot be decomposed as the join of other lattice elements, i.e., for any and in X , } �]�^+ implies } � or } �0 [11]. For example, the join-irreducible elements of the lattice in Figure 2(a) are and , and of the one in Figure 2(b) — u true, u , u , and u false.
�� �
�
� �
� �)� � � �
�
�
�� � �
�
�� �� � �
� � � � � � �)�
�
�
�
� �)� � � � � � � � � � % �%
�
�
��
� "� �
4
�
�
�� �
false
�� ��
true
�
� ��
� �
� �
� ����
(a)
(b) �
Fig. 2. Lattices for �
�
�
� �
�
true false
� �
(c)
�� %� � ���4�� �� � � � ����� :�� = � � �� � � ; (b) � �� � ; (c) ��� .
: (a)
�
Minterms. In the lattice of propositional formulas e d�� , a join-irreducible element is a conjunction in which every atomic proposition of d appears, positive or negated. Such � conjunctions are called minterms and we denote their set by � d�� . For example,
� ��
�
��W$ �W$%� ���W$ ���D$�� I ��� � � �y� � � � � � �
CTL Model Checking. CTL model checking is an automatic technique for verifying temporal properties of systems expressed in a propositional branching-time temporal logic called Computation Tree Logic (CTL) [9]. A system model is a Kripke structure � �! &%' � #" � #$�� , where is a set of states, " [ is a (left-total) transition +*-,/. relation, � Pm is the initial state, is a set of atomic propositions, and $)( is a labeling function, providing the set of atomic� propositions that are true in each state. CTL formulas are evaluated in the states of . Their semantics can be described � holds in terms of infinite execution paths of the model. For instance, a formula in a state � if � holds in every state, on every infinite execution path � � � �0�010 start ing at � ; � ( � ) holds in � if � holds in some state, on every (some) infinite execution path � � � �010�0 . The formal semantics of CTL is given in Figure 1(b). Without loss of generality we consider only CTL formulas in negation normal form, where negation is applied only to atomic propositions [9]. In Figure 1(b), the function 22 6* true false indicates the result of checking a formula � in state � ; the �43 35( � � � � set of successors for a state � is " � �87 �:9
