MetaGame: An Animation Tool for Model-Checking Games



Similar documents
Model Checking II Temporal Logic Model Checking

jeti: A Tool for Remote Tool Integration

Model Checking: An Introduction

Static analysis of parity games: alternating reachability under parity

Formal Verification and Linear-time Model Checking

Testing LTL Formula Translation into Büchi Automata

Software Modeling and Verification

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications

Automata-based Verification - I

SuperViz: An Interactive Visualization of Super-Peer P2P Network

DiPro - A Tool for Probabilistic Counterexample Generation

T Reactive Systems: Introduction and Finite State Automata

MATHEMATICS: CONCEPTS, AND FOUNDATIONS Vol. III - Logic and Computer Science - Phokion G. Kolaitis

Demonstration of an Automated Integrated Test Environment for Web-based Applications

Static Program Transformations for Efficient Software Model Checking

Journal of Mathematics Volume 1, Number 1, Summer 2006 pp

Module 9. User Interface Design. Version 2 CSE IIT, Kharagpur

Automata-Based Verification of Temporal Properties on Running Programs

Automated Functional Testing of Web-based Applications

TOPAS: a Web-based Tool for Visualization of Mapping Algorithms

8.1 Min Degree Spanning Tree

A Logic Approach for LTL System Modification

Runtime Verification - Monitor-oriented Programming - Monitor-based Runtime Reflection

Reliability Guarantees in Automata Based Scheduling for Embedded Control Software

On the Modeling and Verification of Security-Aware and Process-Aware Information Systems

Decision Making under Uncertainty

Formal Verification Problems in a Bigdata World: Towards a Mighty Synergy

From Workflow Design Patterns to Logical Specifications

Model Checking of Software

Two-Way Traceability and Conflict Debugging for AspectLTL Programs

Software Verification and Testing. Lecture Notes: Temporal Logics

WoPeD - An Educational Tool for Workflow Nets

5 Logic-Based Approaches to Workflow Modeling and Verification

NP-Completeness and Cook s Theorem

Performance of KDB-Trees with Query-Based Splitting*

White Paper: Designing Resourceful Graphical User Interfaces (GUIs) for Healthcare Applications

Program Monitoring with LTL in EAGLE

Fault Localization in a Software Project using Back- Tracking Principles of Matrix Dependency

The Graphical Method: An Example

CHAPTER 14 Understanding an App s Architecture

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

Fig.1 Electoronic whiteboard and programming education system

Visual Analysis Tool for Bipartite Networks

The Theory of Concept Analysis and Customer Relationship Mining

Easy Casino Profits. Congratulations!!

Bounded Treewidth in Knowledge Representation and Reasoning 1

The Taxman Game. Robert K. Moniot September 5, 2003

Formal Verification by Model Checking

CS 598CSC: Combinatorial Optimization Lecture date: 2/4/2010

U.Rahamathunnisa 1, S. Pragadeeswaran 2 *Assistant Professor, SITE, VIT University, Vellore. **MS(SE) Student, SITE, VIT University, Vellore.

Optimizing Description Logic Subsumption

HECTOR a software model checker with cooperating analysis plugins. Nathaniel Charlton and Michael Huth Imperial College London

On Correlating Performance Metrics

PEELSCHED: a Simple and Parallel Scheduling Algorithm for Static Taskgraphs

Current California Math Standards Balanced Equations

Software Active Online Monitoring Under. Anticipatory Semantics

A Knowledge-based Product Derivation Process and some Ideas how to Integrate Product Development

(Refer Slide Time: 2:03)

Model Checking based Software Verification

International Journal of Software and Web Sciences (IJSWS)

CONCEPT-II. Overview of demo examples

Scheduling Shop Scheduling. Tim Nieberg

Test Coverage Criteria for Autonomous Mobile Systems based on Coloured Petri Nets

DEVELOPMENT OF A VULNERABILITY ASSESSMENT CODE FOR A PHYSICAL PROTECTION SYSTEM: SYSTEMATIC ANALYSIS OF PHYSICAL PROTECTION EFFECTIVENESS (SAPE)

ONLINE EXERCISE SYSTEM A Web-Based Tool for Administration and Automatic Correction of Exercises

An Interactive Visualization Tool for the Analysis of Multi-Objective Embedded Systems Design Space Exploration

Managing and Tracing the Traversal of Process Clouds with Templates, Agendas and Artifacts

The justified user model: A viewable explained user model

Graph Theory Problems and Solutions

CATIA V5 Tutorials. Mechanism Design & Animation. Release 18. Nader G. Zamani. University of Windsor. Jonathan M. Weaver. University of Detroit Mercy

Moreover, under the risk neutral measure, it must be the case that (5) r t = µ t.

Formal Languages and Automata Theory - Regular Expressions and Finite Automata -

Foundational Proof Certificates

Software Model Checking: Theory and Practice

INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & TECHNOLOGY (IJCET)

Constructing Automata from Temporal Logic Formulas : A Tutorial

Dynamic programming formulation

The Student-Project Allocation Problem

CHAPTER 7 Expected Outcomes

Robot Task-Level Programming Language and Simulation

Game Theory and Algorithms Lecture 10: Extensive Games: Critiques and Extensions

Definition Given a graph G on n vertices, we define the following quantities:

After that you can log in and start creating games or playing existing games.

npsolver A SAT Based Solver for Optimization Problems

Sequential lmove Games. Using Backward Induction (Rollback) to Find Equilibrium

ECON 459 Game Theory. Lecture Notes Auctions. Luca Anderlini Spring 2015

Beating the MLB Moneyline

Combining Software and Hardware Verification Techniques

Handout #1: Mathematical Reasoning

InvGen: An Efficient Invariant Generator

A NOTE ON OFF-DIAGONAL SMALL ON-LINE RAMSEY NUMBERS FOR PATHS

A User Interface for XML Document Retrieval

Monitoring Metric First-order Temporal Properties

Backward Induction and Subgame Perfection

Development of dynamically evolving and self-adaptive software. 1. Background

GUIDE: Games with UML for Interactive Design Exploration

Coverability for Parallel Programs

Hagit Attiya and Eshcar Hillel. Computer Science Department Technion

Path Querying on Graph Databases

Transcription:

MetaGame: An Animation Tool for Model-Checking Games Markus Müller-Olm 1 and Haiseung Yoo 2 1 FernUniversität in Hagen, Fachbereich Informatik, LG PI 5 Universitätsstr. 1, 58097 Hagen, Germany mmo@ls5.informatik.uni-dortmund.de 2 Universität Dortmund, Fachbereich Informatik, LS 5 Baroper Str. 301, 44221 Dortmund, Germany Haiseung.Yoo@cs.uni-dortmund.de Abstract. Failing model checking runs should be accompanied by appropriate error diagnosis information that allows the user to identify the cause of the problem. For branching time logics error diagnosis information can be given by a winning strategy in a graph game derived from the model checking instance. However, winning strategies as such are hard to grasp. In this paper we describe the MetaGame tool that computes and animates winning strategies for modal µ-calculus model checking games on finite graphs. MetaGame allows the user to play model checking games in a GUI interface thus making winning strategies more accessible. Keywords: model checking, game, error diagnosis, branching time logic, animation 1 Introduction Over the last two decades model checking has evolved as a useful technique that aids in the correct design of hardware and software systems. Here we are interested in checking formulas of the modal µ-calculus for small finite-state models. Such models arise, e.g., as high-level descriptions of systems as coordinated lower level components. In such scenarios, state explosion is not an issue as models typically are rather small in comparison to the models used in hardware or software model checking. Therefore, systems can be represented by explicitly given annotated graphs and global techniques can be applied. Nowadays there is a growing awareness that model checking is most effective as an error finding technique rather than a technique for guaranteeing absolute correctness. This is partly due to the fact that specifications that can be checked automatically through model checking are necessarily partial in that they specify only certain aspects of the system behavior. Therefore, successful model checking runs while reassuring cannot guarantee full correctness. On the other hand, On leave from Universität Dortmund. K. Jensen and A. Podelski (Eds.): TACAS 04, LNCS 2988, pp. 163 167, 2004. c Springer-Verlag Berlin Heidelberg 2004

164 Markus Müller-Olm and Haiseung Yoo careful investigation of the cause for failing of model checking runs may allow the user to identify errors in the system. Thus, model checkers are more and more conceived as elaborate debugging tools that complement traditional testing techniques. For model checkers being useful as debugging tools, it is important that failing model checking attempts are accompanied by appropriate error diagnosis information that explains why the model check has failed. Model checkers can fail spuriously, i.e., although the property does not hold for the investigated abstraction it may still be valid for the real system. In order to be useful it should be easy for the user to rule out spurious failures and to locate the errors in the system from the provided error diagnosis information. Therefore, it is important that error diagnosis information is easily accessible by the user. For linear-time logics error diagnosis information is conceptually of a simple type: it is given by an (eventually cyclic) execution path of the system that violates the given property. Thus, linear-time model checkers like Spin [3] compute and output such an error trace in case model checking fails. The situation is more complex for branching-time logics like the modal µ-calculus. Such logics do not just specify properties of single program executions but properties of the execution tree. Hence, meaningful error diagnosis information for branching-time logic model checking cannot be represented by linear executions, in general. Stirling [4, 5] developed a characterization of µ-calculus model checking as a two player graph game with a Rabin chain winning condition [6]. It is wellknown that such games are determined (i.e., one of the players has a winning strategy) and that the winning player always has a memory-less winning strategy. Memoryless strategies can be presented as sub-graphs of the game graph. In the game constructed from a model checking instance, Player II has a winning strategy if and only if model checking fails. Thus, we can use a winning strategy of Player II as error diagnosis information. Conversely, Player I has a winning strategy in the constructed game if and only if model checking succeeds. Thus, a winning strategy of Player I can be seen as justification for a successful model check. Thus, both successful and failing model checking runs give rise to the same type of justifying information, a nice symmetry. However, it is not easy to interpret winning strategies as such. Therefore, we propose to animate winning strategies. The idea is that the user is put into the position of the losing player and plays games against the system. The system plays according to the computed winning strategy. Obviously, this implies that the user will lose all games. By this, the user increases his knowledge about the system behavior and hopefully understands the model checking result better. By the above mentioned symmetry, this idea is applicable for error diagnosis (user=player I, system=player II) as well as for understanding successful model checking results (user=player II, system=player I). The MetaGame tool realizes this idea. It is integrated into the MetaFrame environment [2] and relies on its basic infrastructure and graph manipulation capabilities. MetaGame extends the MetaFrame environment with strategy synthesis and a GUI-based animation of µ-calculus model-checking games. A number

MetaGame: An Animation Tool for Model-Checking Games 165 Fig. 1. A screenshot showing the main windows of MetaGame. of features are intended to allow a more informative and more easily accessible animation. In the next section we show an example run of MetaGame on a small illustrative example and discuss the main features. 2 Playing Games with MetaGame As usual, system models are given by finite graphs the edges of which are labeled by actions and the nodes of which are labeled by sets of atomic propositions. System models can be created and manipulated with MetaFrame s PLGraph editor or loaded from a file. The top left window in Fig. 1 shows an example system model. The logic supported by MetaGame is a variant of the modal µ- calculus. The formula to be checked onto the system model can be typed into a text field or loaded from a file. The bottom left window in Fig. 1 shows an example formula. In standard µ-calculus syntax this formula reads µx 1.( a (P b [c]x 1 )). After loading or creating a system and a formula, MetaGame constructs the corresponding game graph and computes the winning regions of Player I and II and their respective winning strategies. This is done simultaneously for all positions of the game graph by a strategy synthesis algorithm that achieves essentially the same asymptotic complexity as counter-based global µ-calculus model checkers [1]. After computing the winning strategies, MetaGame offers the user to play error diagnosis games; i.e., the user is put into the position of Player I. The primary view of the played game is a designated window that shows the explored game positions in a tree-like fashion together with a Game Menu window that offers options for proceeding with building this tree. The big window in the right

166 Markus Müller-Olm and Haiseung Yoo part of Fig. 1, for instance, shows a situation in an error diagnosis game for the example graph and formula in which the user has decided to play from the state start and proceed with the game position (u, P b [c]x 1 ). Each game position is a pair (s, φ) consisting of a state s in the system model and a sub-formula φ of the model-checked formula. Intuitively, Player I (the user) tries to justify that φ holds for s while Player II (the system) tries to refute it. Accordingly, Player I plays from positions in which the outermost operator of φ is of a disjunctive nature (i.e., or A ) and Player II from positions in which the outermost operator is a conjunctive operator (i.e., or [A] ). Positions of Player I are shown as squares and positions of Player II as circles. Fixpoint formulas σx.φ (where σ {Min, Max}) are identified with their unfolding φ[σx.φ/x]. Player II wins the game if (1) the game reaches a position of the form (s, P ) (or (s, P )) where state s does not satisfy atomic proposition P (or satisfies P, respectively); (2) the game reaches a position (s, φ) in which it is Player I s turn, but Player I has no move; or (3) the game becomes cyclic (i.e., a position (s, φ) is revisited in a game) and the outermost fixpoint operator in the cycle is a minimal fixpoint. The winning conditions for Player I are dual. In the game window, the user can choose his next move by selecting a position in the game position tree with the mouse. After clicking the Play button in the Game Menu window, the system proceeds with the game according to Player II s winning strategy as far as possible. Afterwards it asks the user for a next move or, if a winning situation for Player II has been reached, it informs the user about the reason for winning. By clicking the Fast Forward button the user can also instruct the system to choose some next move arbitrarily. A number of features lead to a more informative and accessible animation. 1. As shown in Fig. 1, the projection of the selected game position onto the state and the formula component are shown in the system model and in the formula window by coloring the corresponding state and sub-formula, respectively. This allow the user to match the game position with the model state and the sub-formula much more easily. 2. The user can backtrack in a play and multiple plays can be in progress simultaneously. This is achieved by allowing the user to select his next move at an arbitrary place in the position tree. 3. The user can prune the position tree, by cutting off explored pieces he is no longer interested in ( Stop -button). In addition, various AutoDelete options allow the user to automatically prune the position tree according to the place of the chosen next move. 4. The user can introduce delays into the animation of Player I s strategy and interrupt the animation with the Pause button. Fig. 2 shows a final situation for the example graph in which the user has lost all three possible plays. Besides error diagnosis games, MetaGame also allows the user to play games that explain successful model checking runs.

MetaGame: An Animation Tool for Model-Checking Games 167 Fig. 2. A final situation. 3 Conclusion We have described the MetaGame tool that allows the user to play model checking games in a GUI interface. As state explosion is not an issue in the intended application scenarios, we can apply global strategy synthesis and compute and store strategies for the whole game graph completely. This allows us to animate model checking games without noticeable delays and to offer the flexibility to backtrack and to have multiple plays in progress simultaneously. We consider this important factors for a wider acceptance of the idea of playing games as a means for understanding model checking results of branching time logics. References 1. R. Cleaveland, M. Klein, and B. Steffen. Faster model checking for the modal mu-calculus. In G. v. Bochmann and D. K. Probst, editors, Computer Aided Verification (CAV 92), volume 663 of Lecture Notes in Computer Science, pages 410 422. Springer-Verlag, June/July 1992. 2. Metaframe homepage. http://ls5-www.cs.uni-dortmund.de/projects/metaframe/. 3. Spin homepage. http://spinroot.com/spin/whatispin.html. 4. C. Stirling. Local model checking games. In S. A. Smolka, editor, Proc. 6th Intern. Conf. on Concurrency Theory (CONCUR 95), volume 962 of Lecture Notes in Computer Science, pages 1 11. Springer-Verlag, 1995. 5. C. Stirling and P. Stevens. Practical model-checking using games. In TACAS 1998, volume 1384 of Lecture Notes in Computer Science, pages 85 101, 1998. 6. W. Thomas. On the synthesis of strategies in infinite games. In E. Mayr and C. Puech, editors, Proceedings of the 12th Annual Symposium on Theoretical Aspects of Computer Science, STACS 95, volume 900 of Lecture Notes in Computer Science, pages 1 13. Springer-Verlag, 1995.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information