Zhi-Hong Tao,Cong-Hua Zhou,Zhong Chen,Li-Fu Wang

DOI: https://doi.org/10.1007/s11390-007-9004-z

IF: 1.871

2007-01-01

Journal of Computer Science and Technology

Abstract:Bounded Model Checking has been recently introduced as an efficient verification method for reactive systems. This technique reduces model checking of linear temporal logic to propositional satisfiability. In this paper we first present how quantified Boolean decision procedures can replace BDDs. We introduce a bounded model checking procedure for temporal logic CTL* which reduces model checking to the satisfiability of quantified Boolean formulas. Our new technique avoids the space blow up of BDDs, and extends the concept of bounded model checking.

Conghua Zhou,Zhenyu Chen,Zhihong Tao

DOI: https://doi.org/10.1007/978-3-540-72504-6_35

2007-01-01

Abstract:For temporal and epistemic property CTLK we propose a new symbolic model checking technique based on Quantified Boolean Formula(QBF). The verification approach is based on an adaption of the technique of bounded model checking. We decide the validity of a CTLK formula psi in the finite reachable state space of a system, and reduce the validity to a QBF which is satisfiable if and only if psi is validated. The new technique avoids the space blow up of BDDs, and sometimes speeds up the verification.

Jiaqi Zhu,Hanpin Wang,Zhongyuan Xu

DOI: https://doi.org/10.1109/COMPSAC.2008.53

2008-01-01

Abstract:We define a new temporal logic called CTL[k-QDDC]. It extends CTL with the ability to specify branching pasts and quantitative temporal properties by combining CTL with the logic Quantified Discrete-time Duration Calculus (QDDC). The idea of bounded model checking is also used in this logic. Compared to CTL, the added expressive power is necessary for specification and verification of real-time distributed software and hardware systems. We give the syntax and semantics of CTL[k-QDDC], discuss its expressive power,and propose an explicit model checking algorithm for Kripke structure. CTL[k-QDDC] is considered as a foundation of some more complex logics for specifying and verifying continuous-time properties in some appropriate structures.

Shujun Deng,Weimin Wu,Jinian Bian

DOI: https://doi.org/10.1007/978-3-540-72863-4_31

2007-01-01

Abstract:Bounded Model Checking (BMC) based on SAT is a complementary technique to BDD-based Symbolic Model Checking, and it is useful for finding counterexamples of minimum length. However, for model checking of large real world systems, BMC is still limited by the state explosion problem, thus abstraction is essential. In this paper, BMC is implemented on a higher abstraction level - Register Transfer Level (RTL) within an abstraction framework of symbolic trajectory evaluation and hybrid three-valued SAT solving. An efficient SAT solver for RTL circuits is presented, and it is modified into a three-valued solver for the cooperative BMC application. The experimental results comparing with the ordinary BMC without abstraction show the efficiency of our method.

Liangze Yin,Fei He,Ming Gu

DOI: https://doi.org/10.1109/TASE.2013.11

2013-01-01

Abstract:This paper considers bounded model checking for extended labeled transition systems. Bounded model checking relies on a SAT solver to prove (or disprove) the existence of a counterexample with a bounded length. During the translation of a BMC problem to a SAT problem, much useful information is lost. This paper proposes an algorithm to analyze the transition system model, and then utilize the structure information hidden in the model to refine the decision ordering of variables in SAT solving. The basic idea is to guide the search process of SAT solving by the structure of the transition system. Experiments with this heuristic on real industrial designs show 5-12 times speedup over standard bounded model checking.

Haiyu Pan,Yongming Li,Yongzhi Cao,Zhanyou Ma

DOI: https://doi.org/10.1016/j.tcs.2015.10.014

IF: 1.002

2016-01-01

Theoretical Computer Science

Abstract:Multi-valued model-checking is an extension of classical model-checking used to verify the properties of systems with uncertain information content. It is used in systems where the semantic domain of both the models of the systems and the specification is a De Morgan algebra or more abstract structure such as semirings. A common feature of De Morgan algebras and semirings is that they satisfy the distributive law, which is crucial for all of the multi-valued model-checking algorithms developed so far. In this paper, we study computation tree logic with membership values in a finite lattice, which are called multi-valued computation tree logic (MCTL). We introduce three semantics for MCTL over the multi-valued Kripke structure: path semantics, fixpoint semantics, and algebraic semantics, and prove that they coincide if and only if the underlying lattice is distributive. Furthermore, we provide model-checking algorithms with respect to the three semantics. Our algorithms show that MCTL model-checking problems with respect to the fixpoint and algebraic semantics can be solved in polynomial time in the size of the state space of the multi-valued Kripke structure, the size of the lattice, and the length of the formula, while MCTL model-checking problem with respect to the path semantics is in PSPACE. We also provide a lower bound for the MCTL model-checking problem with respect to the path semantics.

Stefan Göller,Markus Lohrey

DOI: https://doi.org/10.48550/arXiv.0912.4117

2010-02-03

Abstract:One-counter processes (OCPs) are pushdown processes which operate only on a unary stack alphabet. We study the computational complexity of model checking computation tree logic (CTL) over OCPs. A PSPACE upper bound is inherited from the modal mu-calculus for this problem. First, we analyze the periodic behaviour of CTL over OCPs and derive a model checking algorithm whose running time is exponential only in the number of control locations and a syntactic notion of the formula that we call leftward until depth. Thus, model checking fixed OCPs against CTL formulas with a fixed leftward until depth is in P. This generalizes a result of the first author, Mayr, and To for the expression complexity of CTL's fragment EF. Second, we prove that already over some fixed OCP, CTL model checking is PSPACE-hard. Third, we show that there already exists a fixed CTL formula for which model checking of OCPs is PSPACE-hard. For the latter, we employ two results from complexity theory: (i) Converting a natural number in Chinese remainder presentation into binary presentation is in logspace-uniform NC^1 and (ii) PSPACE is AC^0-serializable. We demonstrate that our approach can be used to answer further open questions.

Logic in Computer Science,Computational Complexity

Dingbao Xie,Lei Bu,Xuandong Li

DOI: https://doi.org/10.1109/RTSS.2014.22

2014-01-01

Abstract:The behavior space of real time hybrid systems is very complex and hence expensive to conduct the classical full state space model checking. Compared to the classical model checking, bounded model checking (BMC) is much cheaper to conduct and has better scalability. This work presents a technique that can derive, in some cases, a proof of unbounded reach ability argument of Linear Hybrid Automata (LHA) from a BMC procedure. During BMC of LHA, typical procedures can discover sets of unsatisfiable constraint cores, a.k.a. UC or IIS, in the constraint set according to the bounded continuous state space of LHA. Currently, such unsatisfiable constraints are only fed back to the constraint set to accelerate the BMC solving. In this paper, we propose that such unsatisfiable constraint core can be exploited to give general unbounded verification result of the system model. As each constraint can be mapped back to certain semantical elements of the system model, the unsatisfiable constraint cores can be mapped back into path segments, which are not feasible, in the graph structure of the LHA model. Clearly, if all the potential paths to reach the target location in the graph structure have to go through such infeasible path segments, the target location is not reachable in general, not only in the given bound. Based on this observation, we propose to encode the infeasible path segments as linear temporal logic (LTL) formulas, and present the graph structure, the discrete part, of the LHA model as a transition system. Then, we can take advantage of the mature off-the-shelf LTL model checking techniques to verify whether there exists a path to reach the target location without touching any detected IIS path segment in the graph structure of the LHA model. We implement this technique into a bounded LHA checker BACH. The experiments show that most of the benchmarks can be verified by the enhanced BACH with a clearly better performance and scalability.

Benjamin Bordais,Daniel Neider,Rajarshi Roy

2024-06-28

Abstract:We address the problem of learning temporal properties from the branching-time behavior of systems. Existing research in this field has mostly focused on learning linear temporal properties specified using popular logics, such as Linear Temporal Logic (LTL) and Signal Temporal Logic (STL). Branching-time logics such as Computation Tree Logic (CTL) and Alternating-time Temporal Logic (ATL), despite being extensively used in specifying and verifying distributed and multi-agent systems, have not received adequate attention. Thus, in this paper, we investigate the problem of learning CTL and ATL formulas from examples of system behavior. As input to the learning problems, we rely on the typical representations of branching behavior as Kripke structures and concurrent game structures, respectively. Given a sample of structures, we learn concise formulas by encoding the learning problem into a satisfiability problem, most notably by symbolically encoding both the search for prospective formulas and their fixed-point based model checking algorithms. We also study the decision problem of checking the existence of prospective ATL formulas for a given sample. We implement our algorithms in an Python prototype and have evaluated them to extract several common CTL and ATL formulas used in practical applications.

Logic in Computer Science

Taolue Chen,Klaus Dräger,Stefan Kiefer

DOI: https://doi.org/10.1007/978-3-642-32589-2_26

2012-01-01

Abstract:Stochastic branching processes are a classical model for describing random trees, which have applications in numerous fields including biology, physics, and natural language processing. In particular, they have recently been proposed to describe parallel programs with stochastic process creation. In this paper, we consider the problem of model checking stochastic branching process. Given a branching process and a deterministic parity tree automaton, we are interested in computing the probability that the generated random tree is accepted by the automaton. We show that this probability can be compared with any rational number in PSPACE, and with 0 and 1 in polynomial time. In a second part, we suggest a tree extension of the logic PCTL, and develop a PSPACE algorithm for model checking a branching process against a formula of this logic. We also show that the qualitative fragment of this logic can be model checked in polynomial time.

Jun Sun,Yang Liu,Jin Song Dong,Jing Sun

DOI: https://doi.org/10.1109/tase.2008.12

2008-01-01

Abstract:Verification techniques like SAT-based bounded model checking have been successfully applied to a variety of system models. Applying bounded model checking to compositional process algebras is, however, not a trivial task. One challenge is that the number of system states for process algebra models is not statically known, whereas exploring the full state space is computationally expensive. This paper presents a compositional encoding of hierarchical processes as SAT problems and then applies state-of-the-art SAT solvers for bounded model checking. The encoding avoids exploring the full state space for complex systems so as to deal with state space explosion. We developed an automated analyzer which combines complementing model checking techniques (i.e., bounded model checking and explicit on-the-fly model checking) to validate system models against event-based temporal properties. The experiment results show the analyzer handles large systems.

Zhou Conghua,Chen Zhenyu,Ju Shiguang

2008-01-01

Journal of Computer Research and Development

Abstract:For concurrent software systems, linear temporal logic SE-LTL is a specification language with high expressive power and the ability to reason about both states and events. Until now, the SE-LTL model checking algorithm is still explicit, and the state explosion is the primary verification difficulty. A bounded model checking procedure is introduced for SE-LTL which reduces model checking to propositional satisfiability. This new technique avoids the space blow up of BDDs, and sometimes speeds up the verification. For SE-LTL-X the procedure and stuttering equivalent technique is further integrated. The experiment result shows that the integration can reduce the verification time very much.

Yuan Feng,Lijun Zhang

DOI: https://doi.org/10.1016/j.jcss.2017.05.014

IF: 1.043

2017-01-01

Journal of Computer and System Sciences

Abstract:The model checking problem of continuous-time Markov chains with respect to continuous time stochastic logic was introduced and shown to be decidable by Aziz et al. [1,2] in 1996. Unfortunately, their proof is only constructive, but highly unpractical. Later in 2000, an efficient approximate algorithm was proposed by Baier et al. [3,5] for a sublogic with binary until. In this paper, we apply transcendental number theory and classical linear algebra to bridge the gap between the precise but unpractical algorithm, and the imprecise but efficient approximate algorithm. We prove that the approximate algorithm in [3,5] can be used as an off-the-shell tool for a precise model checking algorithm for binary until formulas. Further, we discuss extensions of our results to nested until and continuous-time Markov decision processes. (C) 2017 Elsevier Inc. All rights reserved.

Huu-Vu Nguyen,Tayssir Touili

DOI: https://doi.org/10.48550/arXiv.1805.04580

2018-05-12

Abstract:Pushdown Systems (PDSs) are a natural model for sequential programs with (recursive) procedure calls. In this work, we define the Branching temporal logic of CAlls and RETurns (BCARET) that allows to write branching temporal formulas while taking into account the matching between calls and returns. We consider the model-checking problem of PDSs against BCARET formulas with "standard" valuations (where an atomic proposition holds at a configuration c or not depends only on the control state of c, not on its stack) as well as regular valuations (where the set of configurations in which an atomic proposition holds is regular). We show that these problems can be effectively solved by a reduction to the emptiness problem of Alternating Büchi Pushdown Systems. We show that our results can be applied for malware detection.

Formal Languages and Automata Theory

CHEN Dong-huo,WANG Lin-zhang,CUI Jia-lin,陈冬火,王林章,崔家林

2008-01-01

Abstract:Classical logic cannot be used to effectively reason about concurrent systems with inconsistencies (inconsistencies often occur, especially in the early stage of the development, when large and complex concurrent systems are developed). In this paper, we propose the use of a guasi-classical temporal logic (QCTL) for supporting the verification of temporal properties of such systems even where the consistent model is not available. Our models are paraKripke structures (extended standard Kripke structures), in which both a formula and its negation are satisfied in a same state, and properties to be verified are expressed by QCTL with paraKripke structures semantics. We introduce a novel notion of paraKripke models, which grasps the paraconsistent character of the entailment relation of QCTL. Furthermore, we explore the methodology of model checking over QCTL, and describe the detailed algorithm of implementing QCTL model checker. In the sequel, a simple example is presented, showing how to exploit the proposed model checking technique to verify the temporal properties of inconsistent concurrent systems.

Tao Zhihong,Zhou Conghua,Kleine Buning Hans,Wang Lifu

IF: 1.019

2006-01-01

Chinese Journal of Electronics

Abstract:Bounded model checking has been recently introduced as an efficient verification method for reactive systems. In this work we apply bounded model checking to asynchronous systems. More specifically, we translate the bounded model checking of ECTL-X, LTL-X formulas for bounded Petri nets into the propositional satisfiability decision problem. The ordinary encoding would yield a large formula due to the concurrent and asynchronous nature of Petri nets. We propose a new encoding method for bounded Petri nets. This method can reduce verification time by representing the behavior with very succinct formulas.

Haiyu Pan,Yongming Li,Yongzhi Cao,Zhanyou Ma

DOI: https://doi.org/10.1016/j.fss.2014.07.008

IF: 4.462

2015-01-01

Fuzzy Sets and Systems

Abstract:Traditional temporal logics such as linear temporal logic and computation tree logic are widely used to specify properties of reactive systems. Model checking is a well-established technique for verifying if a desired property described as a temporal logic formula holds over a reactive system model. This paper presents fuzzy computation tree logic (FCTL), a fuzzy extension of temporal logics, by combining general fuzzy logic with computation tree logic, and discusses its model checking problem. First, the notion of fuzzy Kripke structures (FKSs) and the syntax and semantics of their specification language FCTL are introduced. Then we give a direct model checking algorithm for FCTL over FKS. On the other hand, we study when FCTL model checking problem can be reduced to classical model checking ones, and give a reduction method for an important fragment of FCTL.

Tzu-Han Hsu,César Sánchez,Sarai Sheinvald,Borzoo Bonakdarpour

DOI: https://doi.org/10.48550/arXiv.2301.06209

2023-01-26

Abstract:Bounded model checking (BMC) is an effective technique for hunting bugs by incrementally exploring the state space of a system. To reason about infinite traces through a finite structure and to ultimately obtain completeness, BMC incorporates loop conditions that revisit previously observed states. This paper focuses on developing loop conditions for BMC of HyperLTL- a temporal logic for hyperproperties that allows expressing important policies for security and consistency in concurrent systems, etc. Loop conditions for HyperLTL are more complicated than for LTL, as different traces may loop inconsistently in unrelated moments. Existing BMC approaches for HyperLTL only considered linear unrollings without any looping capability, which precludes both finding small infinite traces and obtaining a complete technique. We investigate loop conditions for HyperLTL BMC, where the HyperLTL formula can contain up to one quantifier alternation. We first present a general complete automata-based technique which is based on bounds of maximum unrollings. Then, we introduce alternative simulation-based algorithms that allow exploiting short loops effectively, generating SAT queries whose satisfiability guarantees the outcome of the original model checking problem. We also report empirical evaluation of the prototype implementation of our BMC techniques using Z3py.

Logic in Computer Science

Massimo Benerecetti,Laura Bozzelli,Fabio Mogavero,Adriano Peron

2024-04-29

Abstract:Characterisations theorems serve as important tools in model theory and can be used to assess and compare the expressive power of temporal languages used for the specification and verification of properties in formal methods. While complete connections have been established for the linear-time case between temporal logics, predicate logics, algebraic models, and automata, the situation in the branching-time case remains considerably more fragmented. In this work, we provide an automata-theoretic characterisation of some important branching-time temporal logics, namely CTL* and ECTL* interpreted on arbitrary-branching trees, by identifying two variants of Hesitant Tree Automata that are proved equivalent to those logics. The characterisations also apply to Monadic Path Logic and the bisimulation-invariant fragment of Monadic Chain Logic, again interpreted over trees. These results widen the characterisation landscape of the branching-time case and solve a forty-year-old open question.

Logic in Computer Science

Tzu-Han Hsu,Cesar Sanchez,Borzoo Bonakdarpour

DOI: https://doi.org/10.48550/arXiv.2009.08907

2020-10-16

Abstract:Hyperproperties are properties of systems that relate multiple computation traces, including security and concurrency properties. This paper introduces a bounded model checking (BMC) algorithm for hyperproperties expressed in HyperLTL, which - to the best of our knowledge - is the first such algorithm. Just as the classic BMC technique for LTL primarily aims at finding bugs, our approach also targets identifying counterexamples. BMC for LTL is reduced to SAT solving, because LTL describes a property via inspecting individual traces. HyperLTL allows explicit and simultaneous quantification over traces and describes properties that involves multiple traces and, hence, our BMC approach naturally reduces to QBF solving. We report on successful and efficient model checking, implemented in a tool called HyperQube, of a rich set of experiments on a variety of case studies, including security, concurrent data structures, path planning for robots, and testing.

Formal Languages and Automata Theory,Cryptography and Security