SCC-hull Algorithm for Compassionate Model Checking

Here we present the full algorithm for symbolic LTL model checking, including for the sake of completeness, support for compassion at the algorithmic level, as opposed to adding it to the specification or allowing only weaker forms of fairness. All symbolic LTL model checkers support justice but not all support compassion. For example, at the time of this writing, NuSMV supports compassion [180] but CadenceSMV does not [181]. Currently, compassion requirements are rarely used in industrial practice. The algorithm discussed in this section was first published in 1998 by Kesten, Pnueli, and Raviv [37] and is exactly

the under-the-hood implementation in NuSMV today [180]. It is presented in a straight-forward manner using standard set theory since set operations on the languages accepted by finite automata translate transparently to logical operations on Boolean functions, as we discussed in Chapter 2.9.

We call an automaton feasible if it has at least one computation. The corollary to Theorem 2.6 is that A_{M, ¬ϕ} is feasible iff GAM, ¬ϕ contains a fair subgraph (a non-singular strongly connected component that is both just and compassionate). Therefore, we first check for the presence of a fair subgraph and determine the feasibility of our combined automaton. The model-checking problem reduces to M |= ϕ iff AM, ¬ϕ is not feasible. If AM, ¬ϕ is not feasible, then our verification is complete; we can conclude that M |= ϕ. If AM, ¬ϕis feasible, we will need to construct a (preferably short) counterexample.

Indeed, the algorithm for checking whether an automaton is feasible is essentially a specialization of the standard iterative algorithm for finding strongly connected compo-nents in a graph. The original cycle-detection algorithms for explicit-state model checking recursively mapped strongly connected subgraphs, computing closures under both succes-sors and predecessucces-sors [39, 41]. Later it was proved that the requirement of bi-directional closure is too strong [37]. The algorithm, F E A S I B L E(), presented in Figure 2.12, re-quires only closure under successor states while looking for initial components of the graph [37].²⁰ Proofs of soundness, completeness, and termination of this algorithm are provided in [37, 49].

The algorithm F E A S I B L E()takes as input a synchronous parallel composition of the system and specification, which in our case is A_{M, ¬ϕ}. Recall that in this construction, ¬ϕ is essentially serving as a tester of M, continuously monitoring the behavior of the system and making sure the system satisfies the desired property. Let ||ψ|| denote the predicate

consist-20An equivalent algorithm would be to check for closure under predecessor states while looking for termi-nal components in the state-transition graph.

algorithm F E A S I B L E(A_{M, ¬ϕ}): predicate // Check feasibility of A_{M, ¬ϕ} new, old : predicate //a predicate is a subset of

the set of states Q

R : relation //a relation is a set of pairs of states

old = ∅ //initialize old to the empty set

R = ||δ|| //R is the set of all state pairs in the

for each J ∈ J do //for each justice requirement J in the set J new = (new ∩ ||J||) ◦ R^∗ //new is reduced to the set of new states

reach-able in a finite number of transitions from a state satisfying justice requirement J for each (y, z) ∈ C do //for each compassion requirement (y, z)

in the set C begin

new = (new − ||y||) ∪ [(new ∩ ||z||) ◦ R^∗] //subtract from new all states where y holds and add to new all states reachable in a finite num-ber of steps from a z-state in new R = R ∩ (Q × new) //subtract from R all transitions that don’t

lead into a state in new end

while (new , new ∩ (new ◦ R)) do //while new is not comprised of the set of all successors of new states

new = new ∩ (new ◦ R) //reduce new to states that have predecessors in new

end

return (new) //here, new should contain only f air strongly connected components

Figure 2.12 : Pseudocode for the feasible algorithm from [37].

ing of all states that satisfy ψ, for some formula ψ, and ||δ|| denote the relation consisting of all state pairs < q, q⁰ > such that δ(q, σ) = q⁰for any alphabet character σ ∈Σ. Our subrou-tine starts by computing the set of all successors of the initial state, q0in the predicate new.

Because any run of AM, ¬ϕ will satisfy the initial condition and obey the transition relation but not necessarily satisfy the justice and compassion requirements, we need to check for this characteristic additionally. We loop through each justice and compassion requirement, subtracting states from new that are not reachable in a finite number of steps from states satisfying that requirement. Then we remove from new all states that do not also have a predecessor in new since such states cannot be part of a strongly connected component. We repeat this process until we reach a fixpoint; looping through every fairness requirement, checking for predecessors, and reducing new accordingly does not change the size of new.

At this point, if new is empty, we return the emptyset and conclude that A_{M, ¬ϕ} is not fea-sible and, therefore, M |= ϕ. If new is not empty, then it contains a fair strongly connected component of GAM, ¬ϕfrom which we must extract a counterexample witness.

To aid in our quest to efficiently find a short counterexample, if possible, we require a subroutine to find the shortest path between two states in GAM, ¬ϕ. Let λ represent the empty list. We use the ∗-operator to denote list fusion such that if L₁ = (`1, `₂, . . . `i) and L2 = (`ⁱ, `i+1, . . .) are standard list data structures such that the last element of L1is the same as the first element of L2, then L1∗L<sub>2</sub> = (`1, `2, . . . `i, `i+1, . . .) represents their concatenation, overlapping this shared element, or simply concatenating the lists if there is no overlap. We define the function choose(P) to consistently choose one element of a predicate P. Then we have the ^{P A T H}()subroutine in Figure 2.13.

We are now ready to present the full counterexample extraction algorithm, which we callW I T N E S S(), displayed in Figure 2.14. For completeness, we show the step of check-ing AM, ¬ϕ for feasibility in context. We define the function last(L1) to return the last ele-ment in the list L1.

// Compute shortest path from source to destination

function P A T H(source, destination : predicate; R: relation) : list start, f : predicate //a predicate is a subset

of the set of states Q

L : list //a list is an ordered sequence of states

s : state

start = source

L = λ //L is now the empty list

while (start ∩ destination == ∅) do begin

f = R ◦ destination //start set f is the set of all predecessors of destination states

while (start ∩ f == ∅) do //while we haven’t found a path back to start f = R ◦ f //add all of the predecessors of the states

currently in the set f

s = choose(start ∩ f ) //pick one of the shortest path start states L = L ∗ (s) //add this state to the end of the state list start = s ◦ R //add all successors of s to the set start end

return L ∗ (choose(start ∩ destination)) //push the last state onto the end of the list and return the path

Figure 2.13 : Pseudocode of the path algorithm from [37].

After checking A_{M, ¬ϕ} for feasibility, we exit if M |= ϕ. If not, we know that the set returned by F E A S I B L E(), which we save in f inal, contains all of the states in fair SCCs that are reachable from q₀. We look at the set of successors of states in the set f inal. We pick a state from this set and iterate, replacing our chosen state s with one of its predecessors until the set of predecessors of s is a subset of the set of successors of s. Basically, we are attempting to move to an initial SCC in the quotient graph of GAM, ¬ϕ. Termination of this step is guaranteed by the finite nature of GA_{M, ¬ϕ}and the structure of the quotient graph. Next, we compute the precise SCC containing s, restrict our attention to transitions between states in this SCC, and utilize our shortest path algorithm to find the prefix of our counterexample, or the path from q₀ to our fair SCC. Then we construct the fair cycle through our SCC that satisfies all fairness requirements. In order to do this, we loop through each justice requirement, adding to our cycle a path to a state that satisfies that

algorithm W I T N E S S(A_{M, ¬ϕ}) : [list, list]

reach s are not all states that can be reached from s

s = choose(R^∗ ◦ {s} − {s} ◦ R^∗) //replace s with a predecessor that is not also a successor

f inal = R^∗ ◦ {s} ∩ {s} ◦ R^∗ //compute the SCC containing s,

i.e. the maximum set of states t such that (t { s) ∧ (s { t)

R = R ∩ ( f inal × f inal) //R now contains only transitions within the SCC f inal

pre f ix = ^{P A T H}(||q0||, f inal, ||δ||) //pre f ix is now a shortest path from an initial state to a state in f inal period = (last(pre f ix)) //period starts in the final state of

pre f ix

for each J ∈ J do //add in the justice requirements

if (list − to − set(period) ∩ ||J|| == ∅) then //if there are no states in period satisfying justice requirement J period = period ∗ ^{P A T H}({last(period)}, f inal ∩ ||J||, R) //add to the end of

period a shortest path to a state satisfying J

for each (y, z) ∈ C do //add in the compassion requirements if ((list − to − set(period) ∩ ||z|| == ∅) ∧ ( f inal ∩ ||y|| , ∅)) then

//if this compassion requirement isn’t satisfied

period = period ∗ ^{P A T H}({last(period)}, f inal ∩ ||z||, R) //add a z state into period period = period ∗ ^{P A T H}({last(period)}, {last(pre f ix)}, R)

//finish period with a path to the end of pre f ix to form a complete loop return(pre f ix, period)

Figure 2.14 : Pseudocode for the witness algorithm from [37].

requirement if there is not one in the cycle already. We do the same for each compassion requirement. Finally, we complete the cycle with the shortest path back to the state we started the cycle from and we are ready to return our counterexample.