Embed Size (px)
Citation preview
Hierarchical and Recursive
State Machines with Context-
Dependent Properties
Salvatore La Torre, Margherita Napoli, Mimmo Parente and Gennaro Parlato
Dipartimento di Informatica ed ApplicazioniUniversità degli Studi di Salerno
• Given: – A system model M (Kripke structure)– A high-level specification (logic formula)
Is M a model of ?
System Verification (Model Checking)
•Complexity of model checking
O ( ·2||)|M| State-Space Explosion O (|M|·2||)
Our Target
• Propose a “new model” to represent models succintly
• And solve model cheching problems efficiently on it– Reachability – Cycle detection– LTL-ModelChecking
Recursive State Machine
A RSM M =(M1,…, Mk) is composed by
– k machines modelling k procedures
– machines can call each other recursively
– Machines are represented through graphs
VerticesMachines has two kind of vertices:• Nodes (internal state)• Boxes (procedure-call)
Entry and Exit Nodes
parameters
e3
e2
e1
ex3
ex4
ex2
ex1
Entry
node
s
Exit
node
s
return values
Edges
Node-to-Node
Box-to-NodeNode-to-Box
Box-to-Box
Labelling• Given a set of Atomic Proposition• We associates to both nodes and
boxes set of AP
p,q,r
t,r,p
M1
M2
M3
second0 second59
minute0 minute59
hour0hour23
Seconds
Minutes
Hours
Example: Digital Clock modelled by Hierarchical State
Machine
min59min0
out3start3 h23h0
start2 out2
sec0 out1sec59start1
sec0 sec60
Flat Model
M1F
out2start2
M2F
min59min0
minute0
minute59
sec0 sec60sec0 sec60
•The flat model has 24·60·60=86,400 states
• Our model has 24+60+60+6=150
vertices.
sec0 sec60
M1F
HSMs in [AY98]
• Only nodes are labeled with atomic propositions:a model and its flat have the same number of different labels
• To check properties with a precise time (i.e., check for time 10:20:45) the model must have at least a node for each possible hh.mm.ss.
• Our model can be exponentially more succinct
Related Work• Model checking of hierarchical state
machines. [Alur, Yannakakis 1998]• Analysis of recursive state machines. [Alur,
Etessami, Yannakakis 2001]• Model checking of unrestricted hierarchical
state machines. [Benedikt, Godefroid, Reps 2001]
• Visibly pushdown languages [Alur, Madhusudan 2004]
• A temporal logic of nested calls and returns[Alur,Etessami,Madhusudan 2004]
Outline
Overview
Reachability problem
• LTL-Model Checking
• Conclusion
MF
[ink]
Reachability Problem
Given a HSM M and a propositional boolean formula , the Reachability Problem is:
Is there a reachable state (in the flat of M) on which holds ?
X
(label(X))=TRUE
Computational Complexity
• The reachability problem is NP-complete – NP-hardness
3-CNF-SAT Reachability (with AND of literals)
– NP-membership1. guess a state X of M F
2. check if X is reachable in M F 3. verify on X
• We can solve Reachability in O (|M|·||·2|AP|) time
A Solution in O (λ·|M|·||)
MiF
Starti q
(L(q)UP)=TRUE
Reach(i,P)=TRUE
a reachable state of MiF satisfying
(assume propositions P hold TRUE on all states of MiF)
Reach(k,Ø)
P
Reach(expand(b), )=TRUE
Starti q
(L(q)UP)=TRUE
How to compute Reach(i,P)
Mi
bL(b)
PPL(b)
U
Our AlgorithmReach(i,P) =
= V (P U label (u)) V u is a reachable node of Mi
V Reach(expand (b),P U label (b)) b is reachable box of Mi
• Reach(i,P) takes O(|Mi|·|φ|) time +
time for calls Reach(expand (b),P U label (b))
• Total time is O(λ·|M|·||)(λ is the max # of different sets P for machine)
Good cases
Reach(k,Ø) takes O(λ·|M|·||) with λ≤2|AP|
• If λ is bounded by a costant, then Reach(k,Ø) takes O(|M|·||)
• In particular, if M is a Alur and Yannakakis machine, every Mi inherits only the empty set (λ =1)
u
p
Restricted HSM
p
Efficient Solution on Restricted HSM
• Reachability on Restricted HSM and formulas in DNF is decidable in O(|M|·||) time
• Reachability is NP-hard if either:– M is a nonrestricted HSM or
is a (general) boolean formula
• Reachability is decidable in O(|M|·2||) time on Restricted HSM
Outline
Overview
Reachability problem
LTL-Model Checking
• Conclusion
LTL Model Checking
• We use the automata-theoretic approach
Given a HSM M and an LTL-formula , the problem is:
Does every trace of the flat model of M satisfy ?
Automata-Theoretic Approach
1. Given an LTL-formula , we build a Büchi automaton A¬ .
3. is satisfied on M L(M ‘)=Ø.
O (2||) [Vardi and Wolper]
O (|M|·16||)
O (M‘) [Alur at al.]
2. We build a new HSM M ‘ as a product of M and A¬ .
Main ResultLTL Model-Checking can be solved
in O (|M|·16||) time
Structures of M ’
• M ‘ consists of graphs M(i,j,P)
• M(i,j,P) is contained in the Cartesian product of Mi and A¬:
– starti is coupled with j (A¬ state)
– the set of atomic propositions P is inherited from its ancestors
Nodes of M(i,j,P)
PUPu=Pq
Node of M(i,j,P)
[u,q,j,P]Pu
State of A¬
qPq
Node of Mi
uPu
Boxes of M(i,j,P)
State of A¬
qPq
PUPb U Pstarth =Pq
Box of Mi
bstarth
Pstarth
Pb
Box of M(i,j,P)
[b,q,j,P]
Pb
M(h,q,PUPb)
Edges from node of M(i,j,P)
Edge from node of Mi
u v
Node of M(i,j,P)
[u,q’,j,P] [v,q’’,j,P]
Edge of A¬
q’ q’’
Edges from box of M(i,j,P)
A edge of A¬
q’’q’
A edge from box of Mi
b vo
A edge from box of M(i,j,P)
[b,q,j,P] [v,q’’,j,P][o,q’,h,P’]
Outline
Overview
Reachability problem
LTL-Model Checking
Conclusion
Conclusion
• Decision problems:– Reachability– Cycle detection– LTL model-checking
• Restricted HSMs
• Recursive Finite State Machines(Expansions model recursive calls)
Main results
Reachability Cycle
detection
LTL Model Cheching
RSMNP-completeO(|M|·||·2||)
Pspace-complete
O(|M|·16||)
restricted HSM
in DNFO(|M|·||)
Pspace-completeO(|M|·8||)
