Upload
james-snow
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Regular Model Checking
Ahmed Bouajjani,Benget Jonsson, Marcus Nillson and Tayssir Touili
Moran Ben Tulila8.5.12
Outline
IntroductionProgram Model DefinitionAutomata Theoretic Construction of the
Transitive ClosureWidening Based Techniques Model Checking of -Regular PropertiesConclusion
About Regular Model Checking
A framework for algorithmic verification of infinite-state systems with e.g. queues,stacks,integers, or a parameterized linear (or ring-formed) topology
Considers systems whose states can be represented as finite strings of arbitrary length over a finite alphabet
We will focus on the problems of computing the set of states that are reachable from some set of initial states, and on computing the transitive closure of the transition relation
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
VerificationProblems
Computing Reachability Sets-
Computing Transitive Closure-
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Motivation
The problem of verifying that a system satisfies a certain correctness property is usually reduced to checking some form of reachability problem on a transition system model of the system
Examples: mutual exclusion
Q: So, why not to use standard iteration-based methods?
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
finding loops of parameterized systems
The (Obvious) Answer:
Termination is not guaranteed for parameterized or infinite-state systems!
-termination is guaranteed only if there is a bound on the distance (in number of transitions) from the initial configurations to any reachable configuration
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Definitions
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
• Regular Set-
• Cross Product-
Definitions (Cont.)
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
• Regular Relation -
A regular relation can be conveniently recognized by a finite-state transducer
Definitions (Cont.)
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
• Transducer-
Example: the token passing protocol
0 1 2
The transition relation can be represented by a finite set of actions, when each action is a regular relation between strings that can be represented by a finite-state transducer (as the one above)
Program Model
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Example: the token passing protocol
Another Example of System Modeling
Systems communicating over unbounded FIFO channels
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
FIFO channel
…M1 M2 M3
Configurations are of the form:
Another Example of System Modeling (Cont.)
The system is modeled by:
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Computing the Transitive Closure
We will present a technique for computing R+ by computing a minimal deterministic transducer that recognizes it
At this point – our construction is not guaranteed to terminate (in particular if R+ is not regular)
we’ll see how to deal with that problem in a few slides
From now on – assume R is a regular relation on
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Computing the Transitive Closure (Cont.)
R regular R can be represented as a finite-state transducer:
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Computing the Transitive Closure (Cont.)
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Computing the Transitive Closure (Cont.)
In matrix form:
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Computing the Transitive Closure (Cont.)
The first step in our construction will be to regard this matrix as a single run of another transducer
The new transducer’s states will be the columns of the matrix
The new transducer’s transitions will represent the relationship between adjacent columns in the matrix
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Computing the Transitive Closure (Cont.)
We define the Column Transducer for R+ as the tuple
n when:
- F+ is the set of non-empty sequences of accepting states of R
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
The column transducer for R+ accepts exactly the relation R+
Example
Recall our transducer for the transition relation of the token passing protocol :
Alphabet slightly changed
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Example
The matching column transducer looks as follows:
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
But…
The calculated transducer has infinitely many states
So, we will try to determinize it using the standard subset-construction, in the hope of decreasing the number of states
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Reminder from Automata CourseSubset Construction –
standard method for converting a nondeterministic finite automaton (NFA) into a deterministic finite automaton (DFA) which recognizes the same formal language
applies most directly to an NFA that does not allow epsilon moves
For a NFA (Q, Σ, T, q0, F) in which Q is the set of states, Σ is the set of input symbols, T is the transition function ,q0 is the initial state, and F is the set of accepting states – the matching DFA has states corresponding to subsets of Q. itsinitial state is {q0}, the transition function of the DFA maps a state S (representing a subset of Q) and an input symbol x to the set T(S,x) = ∪{T(q,x) | q ∈ Q} and a state S of the DFA is an accepting state if and only if at least one member of S is an accepting state of the NFA
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Subset- Construction Example
For the NFA:
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Subset- Construction Example (Cont.)
We get the following DFA:
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Determinizing the Column Transducer
Let x,y range over columns and X,Y over sets of columns The subset construction applied to the column
transducer yields the automaton:
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
when:
Determinizing the Column Transducer (Cont.)
A few technical details:The transducer is constructed on-the-fly, starting from the
initial state and computing successors for each generated state X and pair of symbols (a,a’)
The construction terminates when no new states are generated
In most cases, the subset-construction does not yield a finite automaton
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Determinizing the Column Transducer - Example
Deterministic transducer built from the column transducer for the token passing protocol:
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Transducer’s Minimization
As shown, the subset construction doesn’t necessarily yield a finite automata
Therefore, we try to make it smaller by identifying equivalent sets of columns during the construction (and merging them)
We’ll define equivalent sets as the following:
Two sets X,Y of columns are equivalent if suff(X)=suff(Y)
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Transducer’s Minimization (Cont.)
Detection of equivalent sets is based on saturation The basic idea-
Extend (saturate) each set X of columns by additional columns x such that
Hopefully, two equivalent sets of columns will become identical after saturation
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Transducer’s Minimization (Cont.) Dedinition:
A state q in the original transducer R is a copying state if
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Saturation Rule:
Transducer’s Minimization (Cont.)
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
If the set of reachable states in the automaton is finite, then R+ is regular and then, using standard techniques we can obtain a minimal deterministic finite-state transducer which recognizes R+
Transducer’s Minimization - Example
The minimal deterministic transducer accepting R+ for the token passing protocol is:
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Termination
It can be shown that R+ is regular under some sufficient conditions on a regular relation R (so in that case our construction of R+ yields a finite-state transducer)
In order to characterize the class of regular relations R for which our transitive-closure works, we define a notion of local depth:
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Termination (Cont.)
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Intuitively, a relation with local depth k never needs to rewrite any element of a word more than k times to relate two words
For example:The transition relation in a parameterized system in which a
process passes a token to its right neighbor (token passing protocol) has local depth 2, since in an arbitrary execution sequence, each process is affected at most twice: When receiving the token When sending the token
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Termination (Cont.)
With some modifications, this method enable us to compute as well
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Computing Reachable Configurations
Used to speed up the calculation of a regular fixpoint Applied during the iterative construction of the set of
reachable configurations in order to help termination
Our technique consists in: guessing automatically the image of iterating a relation
starting from some given regular set deciding whether this guess is correct
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Widening
A widening step consists in: guessing the result of iterating R starting from by
comparing to In general, this guess can be made by considering the sets up to some finite bound k
Adding the obtained set (the guess) to the computed set of configurations
Continuing exploration of the configuration space
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Computing Set of Reachable Configurations
( )iR
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Computing Set of Reachable Configurations (Cont.)
Intuitively:C1 applying R to is to like “adding” between and
C2 ( is a fixpoint of and is the least fixpoint of F)
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Computing Set of Reachable Configurations (Cont.)
Our work process: Given two regular sets and we need to find regular
sets
such that C1 holds and check that condition C2 also holds for these sets
Notice that by adding to the computed set of configurations we capture at least all the reachable configurations from by iterating R. Nevertheless, the inclusion isn’t guaranteed by C2 (for any kind of regular relation R)
* *1 2 ( )R
Computing reachability set from initial configurations for the token passing protocol:
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Computing Set of Reachable Configurations - Example
C1 holds since:
C2 holds since:
in this example, we apply an exact widening step by adding to the set of reachable configurations. By doing this, our procedure terminates and we get the result:
As stated before – our method doesn’t guarantee us finding the set of reachable configurations exactly
We will introduce a class of relations for which it can be shown that our widening technique is exact
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Exact Widening
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Exact Widening (Cont.)
A few definitions-
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Exact Widening (Cont.)
A few definitions (cont.) -
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Exact Widening (Cont.)
To prove this theorem we define:
Nathreian relations-
a length preserving relation R is natherian iff idR R
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Exact Widening (Cont.)
Then we can prove:
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Constructing Transitive Closures
Widening technique can also be used to compute the transitive closure of a length preserving relation R
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Constructing Transitive Closures
Widening technique can also be used to compute the transitive closure of a length preserving relation R
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Verifying Properties
We will show how to reduce the problem of verifying a property specified by a Buchi automaton to the problem of computing the transitive closure
Based on the fact that detecting infinite sequences reduces to detecting loops
We can use this idea to verify that a program satisfies an ω-regular property under a set of fairness requirements
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Verifying Properties (Cont.)
An ω-language consists of infinite words (ω-words), when each word can be viewed as function from N to Σ, with the value at i giving the symbol at position I
The set of all infinite words over Σ is denoted Σω
Thus, an ω-language L over Σ is a subset of Σω,
An ω-language L is ω-regular if it has the form: Aω where A is a nonempty regular language not containing
the empty string AB, the concatenation of a regular language A and an ω-
regular language B (Note that BA is not well-defined) A∪B where A and B are ω-regular languages (this rule can
only be applied finitely many times)
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Verifying Properties (Cont.)
Every ω-regular language can be recognized by a Buchi automaton, when:
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Verifying Properties (Cont.)
Our verification process: encode the negation of the property to be checked as a Buchi
automaton encode each fairness constraint as a Buchi automaton
(we can handle parameterized fairness requirements by associating one Buchi automaton with each position in the word, which expresses the fairness constraint for that position)
construct the product of the program with the Buchi automaton for the negation of the property, and the Buchi automata for the fairness requirements
check whether this product has a reachable “fair loop” in which each Buchi automaton visits an accepting state
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Verifying Properties (Cont.)
Observer bit – one per Buchi automaton. Initialized to “false” in a reachable state and becomes
“true” whenever the Buchi automaton reaches an accepting state.
Can never become “false” after being set to “true”
- transition relation containing both Buchi automata and observer bits
Fair loops can be detected by checking whether relates a reachable state with all observer bits being “false” with the same reachable state with all observer bits being “true”
augR
augR
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Verifying Properties- Example
We want to verify the liveness property “every process eventually gets the token” of the token passing protocol:
The property negation is: “some process never gets the token”
The negation can be expressed by a Buchi automaton accepting an infinite sequence of states of a process where the token is never obtained
Encoded by adding a boolean variable r and changing transition relation and set of initial configurations so that: r is true at exactly one position in the word The truth value of r never changes in any position The token is never passed to the position where r holds
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Verifying Properties- Example (Cont.)
The fairness constraint for each process is:
The process may not hold the token indefinitely And can be expressed by the Buchi automaton:
These Buchi automata are encoded by an extra variable s, initialized to s1 and ranging over {s1,s2}The transition relation is extended so that it includes s
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Verifying Properties- Example (Cont.)
We can now check for fair infinite runs that violate the original property by checking the emptiness of the set:
•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion
Conclusion
Regular model checking – framework for algorithmic verification of parameterized and infinite-state systems
Automata theoretic construction of transitive closure of regular relation
Widening based techniques for computing set of reachable configurations
Implementation during verification