Upload
taryn
View
51
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Reachability Analysis for Some Models of Infinite-State Transition Systems. Oscar H. Ibarra, Tevfik Bultan , and Jianwen Su Department of Computer Science University of California, Santa Barbara {ibarra,bultan,su}@cs.ucsb.edu. Problem. - PowerPoint PPT Presentation
Citation preview
Reachability Analysis for Some Models of Infinite-State Transition Systems
Oscar H. Ibarra, Tevfik Bultan, and Jianwen Su
Department of Computer Science
University of California, Santa Barbara
{ibarra,bultan,su}@cs.ucsb.edu
Problem
Automated verification techniques have been successful for finite state systems
In general verification problems are undecidable for infinite state systems
What kind of restrictions can we place on infinite state systems to make verification problems decidable?
Outline
Restricted computational models– Reversal-bounded, finite-crossing, phase-bounded
machines
Language acceptors vs. behavior generators Decidable properties as language acceptors Decidable verification queries as behavior generators Extensions to computational models Applications Conclusions and future work
Shankar’s Example This Morning
P can be verified with a Presburger arithmetic model checker that uses standard backward fixpoint computations [Bultan et al. 99]
Fixpoint computation for AG(State1 x 6) does not converge, we can use widening
However, this system is a reversal bounded counter machine, hence we do not need approximations, we can verify its invariants exactly.
State0State0 State1State1
x’=x+1x’=x+1
x’=x+1x’=x+1
Initial: x=0 Initial: x=0 State0 State0
P: AG(State1 P: AG(State1 ( ( . x =2 . x =2+1))+1))
Examples of Infinite State Systems
Timed-automata [Alur, Dill 90]– Finite state control + real valued clocks which increase
uniformly or reset based on clock constraints– Clock constraints are restricted to x # c (# is one of , , , , ) – Verification results: Region reachability, TCTL model
checking [Alur et al. 93], binary reachability [Comon, Jurski 99]
Pushdown automata– Finite state control plus an unrestricted stack– Verification results: -calculus model checking [Walukiewicz
96, Bouajjani et al. 97]
Restricted Infinite-State Systems
Basic Model: Reversal-bounded counter machines (CM)
A nondeterministic finite automaton augmented with finite number of counters
Each counter can be incremented or decremented by 1 and tested for zero
The counters are reversal-bounded : The number of times a counter can change from non-decreasing to non-increasing and vice-versa is bounded by a constant
Reversal-Bounded Computation
ComputationComputation
CounterCountervaluevalue
ReversalReversal
ReversalReversal
Reversal-Bounded Counters (CM)
Note that a counter can take any value in The number of states (i.e., configurations of the
machine) is infinite Without the reversal-boundedness restriction basic
properties of counter machines (such as emptiness) are undecidable (two unrestricted counters TM)
Adding a Pushdown to CM
Reversal-bounded counter machine CM can be extended with additional data structures
A pushdown counter machine (PCM) is a reversal-bounded counter machine augmented with a single unrestricted pushdown stack
PCMs are more powerful than CMs and pushdown automata
Emptiness is undecidable for two-way input or two pushdown
Adding a Restricted Tape to CM
A tape counter machine (TCM) is a reversal-bounded counter machine augmented with a single restricted two-way read/write worktape
The tape is finite-crossing : The number of times the head crosses the boundary between any two adjacent cells of the worktape is bounded by a constant
TCMs and PCMs are incomparable
Adding a Restricted Queue to CM
A queue counter machine (QCM) is a CM augmented with a single restricted queue
The queue is phase-bounded : The number of alternations between non-deletion phase and non-insertion phase is bounded by a constant
TCMs can effectively simulate QCMs Unrestricted queue can simulate a TM
An Simple Example
Producer has a produce state which has a write transition that increments the produced counter and writes a symbol to the queue from a finite alphabet {a, b}
Consumer has a consume state which has a read transition that increments the consumed counter and reads a symbol from the queue
We can check invariants such as: produced - consumed equals the number of items in the queue and the number of a’s in the queue is less than or equal to number of b’s
queuequeue
finite statefinite statecontrolcontrol
finite statefinite statecontrolcontrol
countercounter countercounter
producedproduced consumedconsumed
PRODUCERPRODUCER CONSUMERCONSUMER
Language Acceptors vs. Behavior Generators
Computational models can be used as language recognizers when they are augmented with a one-way read-only input tape
We are interested in the behaviors they generate: Use computational models as system specifications rather than language recognizers
Machines with input tape can be used to analyze parametric systems where the parameters can be specified on the input tape
Interesting Properties for Language Acceptors
Given arbitrary language acceptor machines M1, M2:
– Emptiness: Is L(M1) (the language accepted by M1) empty ?
– Containment: Is L(M1) L(M2) ?
– Equivalence: Is L(M1) = L(M2) ?
Simplest acceptors: Finite automata (deterministic, nondeterministic, one-way input tape, two-way input tape). Above properties are decidable.
Interesting Properties for Behavior Generators
Binary-Reachability: Given two configurations , of machine M, is there a behavior which starts at and reaches ?
Forward-Reachability: Given a set of configurations S, what is the set of configurations that the machine M can reach starting from a configuration in S ?
Backward-Reachability: Given a set of configurations S, what is the set of configurations that the machine M can start from and reach a configuration in S ?
Interesting Properties for Behavior Generators
Nonsafety: Given a machine M, an initial set I and a set P of configurations, is there a configuration in I which reaches a configuration in P ?
Invariance: Given a machine M, an initial set I and a set P of configurations, are all the configurations on all the behaviors which start from I in P ?
Basic Approach
First show decidability of the emptiness problem for a class of language acceptors
Reduce verification problems to emptiness problem Given an arbitrary machine M
– Show that a verification property of M can be specified as a language
– Show that a language-acceptor M’ can be effectively constructed which accepts this language
– Show that the the verification query can be answered by checking language emptiness of the language-acceptor M’
Emptiness problem for PCM-acceptors
Theorem: Emptiness problem for PCM-acceptors is decidable [Ibarra 78]
Proof Idea: Given an alphabet A with symbols a1, ..., ak for each word w in A* define f(w) = (i1, ..., ik) where ij is the number of occurances of aj in w (Parikh map)
Given a PCM-acceptor M, f(L(M)) is an effectively computable Presburger formula (equivalently, it is a semilinear set)
L(M) is empty iff f (L(M)) is empty (which is decidable since f (L(M)) is Presburger)
Emptiness Problem for CM-acceptors
Corollary: Emptiness problem for CM acceptors is decidable
Emptiness problem for CM acceptors is decidable in nckr for some constant c, where n is the size of the finite state control, k is the number of counters, and r is the reversal-bound on each counter [Gurari and Ibarra 81]
Emptiness Problem for TCM-acceptors
Theorem: The emptiness problem for TCM-acceptors is decidable
Lemma 1 : Let M be a TCM-acceptor. We can effectively construct a TCM M’ such that L(M) = L(M’) and in any computation of M’ its read/write head moves left or right of a cell in every step
Lemma 2 : Let M be a TCM-acceptor. We can effectively construct a TCM M’ such that L(M) is nonempty iff M’ when started with a blank worktape and zero counters has a halting sequence of moves
Binary Reachability
Given a machine M, define reachability set R(M) of M as the set of all pairs of configurations (, ) such that can reach in 0 or more transitions
Theorem: Given a PCM M, we can effectively construct a PCM acceptor M’ accepting R(M)
Proof Idea : First, M’ reads configuration and records it. Then M’ simulates the computation of M. At some point it guesses that it reached and verifies its guess by comparing it with the input
Theorem: Given a TCM M, we can effectively construct a TCM acceptor M’ accepting R(M)
Safety
Theorem: Given a PCM (TCM) M and two sets of configurations I and P accepted by CM acceptors, we can effectively construct a PCM (TCM) M’ that accepts a configuration iff 1) is in I, and 2) M when started in can reach a configuration in P
Proof Idea: Let MI and MP be CM acceptors accepting I and P, respectively. We construct a PCM acceptor M which first checks that its input is accepted by MI. Then it simulates M starting from this input configuration. Then it guesses that it reached a configuration in MP and verifies this guess by checking if the configuration is accepted by MP
Safety
Corollary 2 : Given a PCM (TCM) M and two sets of configurations I and P accepted by a CM acceptor and a deterministic CM-acceptor, respectively, we can effectively construct a PCM (TCM) M’ that accepts a configuration iff 1) is in I, and 2) M when started in can reach a configuration not in P
Forward and Backward Reachability
Given a machine M and a set of configurations P, define set of configurations FM(P) (BM(P)) as the set of configurations that can be reached from (that can reach) configurations in P in 0 or more transitions
Theorem: Given a PCM (TCM) M and a set of configurations P accepted by a CM-acceptor, we can effectively construct a PCM (TCM) acceptor accepting FM(P)
Same result holds for BM(P)
Forward and Backward Reachability
Theorem: Let M be a CM and P be a set of configurations. Then BM(P) (FM(P)) accepted by a CM acceptor iff P is accepted by a CM acceptor
Corollary: Let M be a CM and P be a set of configurations. Then BM(P) (FM(P)) is Presburger iff P is Presburger
Extensions to Computational Models
Allowing counters to store negative integer values Allowing counters to increment decrement by integer constant c Allowing tests of the form x # c where x is a counter, c is an
integer constant, and # is one of , , , ,
One can show that for al the computational models we discussed a machine M using such extensions can be converted to a machine M’ which does not use these extensions and L(M) = L(M’)
Extensions to Computational Models
Consider linear relation tests constructed using atomic linear relations in the form x Caxx < b (where C is the set of counters)
– and logical connectives , The emptiness problem for deterministic CM-acceptors using
linear relation tests is undecidable
If we restrict PCM (TCM) to be mode-bounded (i.e., the number of changes between the modes increasing, decreasing, and no-change is bounded by a constant) then emptiness problem is decidable even when linear tests are used [Ibarra et al. 00]
Applications
One can show the decidability of verification problems for a system by reducing it to one of the systems we presented
Binary reachability of discrete timed-automata with pushdown is decidable [Dang et al. 00]
Applications
By restricting the behaviors of a given infinite-state system one can obtain a conservative approximation of the given system – in the sense that when an error is found in the restricted
system this implies that the error exists in the original system
Finding bugs is as important as verifying a system Restrictions we discussed are not as severe as
bounded model checking [Biere et al. 99] which limits the number of execution steps
Conclusions and Future Work
We showed that there are various restrictions one can put on computational models which will ensure the decidability of reachability problems
We need to investigate the complexity of the verification problems for these restricted models
We need to investigate extending these results to liveness properties, temporal logics