Regular Model Checking Using Solver Technologies and ... · Regular Model Checking Using Solver echnologiesT and Automata Learning Daniel NeiderNils Jansen RWTH Aachen Universit,y

Regular Model Checking Using Solver

Technologies and Automata Learning

Daniel Neider Nils Jansen

RWTH Aachen University, Germany

May 14th, 2013

NASA Formal Methods Symposium

NASA Ames Research Center, Mo�ett Field, CA, USA

Token Ring Example

1

2

3

4

Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 1/16

Token Ring Example

1

2

3

4

Modeling Programs

Con�gurations:

Transitions:


Token Ring Example

1

2

3

4

Modeling Programs

Con�gurations: 1000

, 0100, 0010, 0001, 0000, 1100, . . .

Transitions:


Token Ring Example

1

2

3

4

Modeling Programs

Con�gurations: 1000, 0100

, 0010, 0001, 0000, 1100, . . .

Transitions:


Token Ring Example

1

2

3

4

Modeling Programs

Con�gurations: 1000, 0100, 0010, 0001, 0000, 1100, . . .

Transitions:


Token Ring Example

1

2

3

4

Modeling Programs

Con�gurations: 1000, 0100, 0010, 0001, 0000, 1100, . . .

Transitions:

[10

][01

][00

][00

]

,

[00

][10

][01

][00

],. . . ,

[01

][00

][00

][10

]


Token Ring Example

1

2

3

4

Modeling Programs

Con�gurations: 1000, 0100, 0010, 0001, 0000, 1100, . . .

Transitions:

[10

][01

][00

][00

],

[00

][10

][01

][00

]

,. . . ,

[01

][00

][00

][10

]


Token Ring Example

1

2

3

4

Modeling Programs

Con�gurations: 1000, 0100, 0010, 0001, 0000, 1100, . . .

Transitions:

[10

][01

][00

][00

],

[00

][10

][01

][00

],. . . ,

[01

][00

][00

][10

]


Token Ring Example

1

2 3

4

56

Modeling Programs

Con�gurations: 100000, 010000, 001000, 000000, . . .

Transitions:

[10

][01

][00

][00

][00

][00

], . . . ,

[10

][00

][00

][00

][00

][01

]


Token Ring Example

1

2

3

4

5

6

7

8

Modeling Programs

Con�gurations: (0 + 1)∗

Transitions:

[00

]∗[10

][01

][00

]∗+

[01

][00

]∗[10

]


Token Ring Example

1

2

3

4

5

6

7

8

The question we want to address

Initial con�gurations I = 10∗

Transitions T = . . .

Bad con�gurations B = 0∗ + 0∗10∗1(0 + 1)∗

Is there a path from some c ∈ I to some c′ ∈ B along T?


Regular Model Checking

Input

A regular set of initial con�gurations I,

a regular set of bad con�gurations B, and

a transducer T de�ning the transitions.

an NFA T = (Q,Σ× Σ, q0,∆, F )Question

Does ReachT (I) ∩B = ∅ hold?

RemarkThe Regular Model Checking Problem is undecidable.

Thus, all algorithms are necessarily semi-algorithms.



Input




an NFA T = (Q,Σ× Σ, q0,∆, F )

Question






Input




an NFA T = (Q,Σ× Σ, q0,∆, F )

Question






Input




an NFA T = (Q,Σ× Σ, q0,∆, F )

Question





Motivation

IB


Motivation

P

IB

ProofA (regular) proof is a (regular) set P with

I ⊆ P ,B ∩ P = ∅, andP is inductive, i.e., u ∈ P and (u, u′) ∈ L(T ) implies u′ ∈ P .


Motivation

P

IB

Tools for Regular Model Checking

Faster and

T(O)RMC

Problem: The performance is poor for large representations of I!


Motivation

P

IB

What we do

We approximate I and B with �nite sets.

We use sampling strategies known from automata learning.

We compute smallest proofs using logic solvers.


Outline

1. Automata Learning

2. Regular Model Checking via Automata Learning

3. Experiments

4. Conclusion


Outline



3. Experiments

4. Conclusion

Angluin's Learning Framework

Is ab ∈ L??a, b

Yes!No, counterexample aa!

ab



Is ab ∈ L?

?

a, bYes!No, counterexample aa!

ab



Is ab ∈ L??a, b

Yes!

No, counterexample aa!

ab



Is ab ∈ L?

?

a, b


ab



Is ab ∈ L??a, b

Yes!

No, counterexample aa!

ab


Our Learning Framework

Is ab ∈ L??a, b


ab

�yes��no�

?


Our Learning Framework

Is ab ∈ L??a, b


ab


Outline



3. Experiments

4. Conclusion

CEGAR-style Regular Model Checking

Maintain asample S

Compute a smallestinductive DFA Aconsistent with S

Equivalencequery

S A

�no�

Add counterexample to S

�yes�

L(A) isa proof



Maintain asample S


Equivalencequery

S A

�no�


�yes�

L(A) isa proof

1. Sample S = (S+, S−) where S+, S− ⊆ Σ∗ are �nite.

2. Compute a smallest inductive DFA A consistent with S, i.e.,

S+ ⊆ L(A) and S− ∩ L(A) = ∅.

3. Equivalence query: if A is inductive, it is enough to check

I ⊆ L(A) and B ∩ L(A) = ∅.



Maintain asample S


Equivalencequery

S A

�no�


�yes�

L(A) isa proof



S+ ⊆ L(A) and S− ∩ L(A) = ∅.


I ⊆ L(A) and B ∩ L(A) = ∅.



Maintain asample S


Equivalencequery

S A

�no�


�yes�

L(A) isa proof



S+ ⊆ L(A) and S− ∩ L(A) = ∅.


I ⊆ L(A) and B ∩ L(A) = ∅.



Maintain asample S


Equivalencequery

S A

�no�


�yes�

L(A) isa proof

Correctness

The algorithm terminates once L(A) is a proof.

Successive DFAs are di�erent and the size of successive DFAs

increases monotonically.

Computing minimal DFAs guarantees termination if a proof

exists.


Angluin-style Regular Model Checking

Maintain asample S


Equivalencequery

Membership query

S A

�no�

Add counterexample

�yes�

L(A) isa proof


Angluin-style Regular Model Checking

Maintain asample S


Equivalencequery

Membership query

S A

�no�

Add counterexample

�yes�

L(A) isa proof

u �yes� / �no� / �?�


Realizing the Black Box

Given a sample S and a transducer T .

Main IdeaConstruct a formula ϕS,Tn such that

ϕS,Tn is satis�able

⇔there exists a DFA A with n states such that A is consistent with

S and inductive with respect to T .

TheoremBy increasing the value of n, we will �nd a smallest DFA consistent

with S and inductive with respect to T if one exists.


Realizing the Black Box

Given a sample S and a transducer T .

Main IdeaConstruct a formula ϕS,Tn such that

ϕS,Tn is satis�able

⇔there exists a DFA A with n states such that A is consistent with

S and inductive with respect to T .

TheoremBy increasing the value of n, we will �nd a smallest DFA consistent

with S and inductive with respect to T if one exists.


Encoding DFAs

A =(Q,Σ, q0, δ, F

)If Q, Σ, and q0 are �xed, then every DFA is completely de�ned by δand F .

Use Boolean variables dp,a,q with the meaning:

if dp,a,q ≡ true, then δ(p, a) = q.

Use Boolean variables fq with the meaning:

if fq ≡ true, then q ∈ F .Use constraints

¬dp,a,q ∨ ¬dp,a,q′∨q∈Q

dp,a,q

Let ϕDFAn be the conjunction of these constraints.


Encoding DFAs

A =(Q,Σ, q0, δ, F





if fq ≡ true, then q ∈ F .

Use constraints


dp,a,q



Encoding DFAs

A =(Q,Σ, q0, δ, F





if fq ≡ true, then q ∈ F .Use constraints


dp,a,q



Encoding DFAs

Construction of a DFA from a ModelLet M |= ϕDFAn . Then, we construct a DFA

AM = ({q0, . . . , qn−1},Σ, q0, δ, F ) as follows:

δ(p, a) = q for the unique q ∈ Q such that M(dp,a,q) = true.

q ∈ F if and only if M(fq) = true.

Impose restrictions on the behavior of AM by introducing the two

formulas

ϕSn that enforces that AM is consistent with S, andϕTn that enforces that AM is inductive with respect to T .

ϕS,Tn := ϕDFAn ∧ ϕSn ∧ ϕTn is the desired formula.


Encoding DFAs






formulas




Encoding DFAs






formulas




Formula ϕSn

Let S = (S+, S−). Establish S+ ⊆ L(AM) and S− ∩ L(AM) = ∅!

Introduce variables xu,q for u ∈ Pref(S+ ∪ S−) with the meaning:

if AM : q0u−→ q, then xu,q ≡ true.

Introduce constraints:

xε,q0

(xu,p ∧ dp,a,q)→ xua,q for ua ∈ Pref(S+ ∪ S−)

xu,q → fq for u ∈ S+

xu,q → ¬fq for u ∈ S−

Let ϕSn be the conjunction of these constraints. Then,

M |= ϕDFAn ∧ ϕSn implies S+ ⊆ L(AM)) and S− ∩ L(AM) = ∅.


Formula ϕSn





xε,q0







Formula ϕSn





xε,q0







Formula ϕSn





xε,q0







Formula ϕTn

Let T = (QT ,Σ× Σ, qT0 ,∆T , F T ). Establish

u ∈ L(AM) ∧ (u, u′) ∈ L(T ) ⇒ u′ ∈ L(AM)!

Introduce variables yq,q′,q′′ with with the meaning:

if there are u, u′ ∈ Σ∗ such that

AM : q0u−→ q

T : qT0(u,u′)−−−→ q′

AM : q0u′−→ q′′

,

then yq,q′,q′′ ≡ true.


Formula ϕTn

Let T = (QT ,Σ× Σ, qT0 ,∆T , F T ). Establish

u ∈ L(AM) ∧ (u, u′) ∈ L(T ) ⇒ u′ ∈ L(AM)!

Introduce variables yq,q′,q′′ with with the meaning:

if there are u, u′ ∈ Σ∗ such that

AM : q0u−→ q

T : qT0(u,u′)−−−→ q′

AM : q0u′−→ q′′

,

then yq,q′,q′′ ≡ true.


Formula ϕTn


yq0,qT0 ,q0(yp,p′,p′′ ∧ dp,a,q ∧ dp′′,b,q′′

)→ zq,q′,q′′ for (p′, (a, b), q′) ∈ ∆T(

yq,q′,q′′ ∧ fq)→ fq′′ for q′ ∈ F T

Let ϕTn be the conjunction of these constraints.

Then, M |= ϕDFAn ∧ ϕTn implies

u ∈ L(AM) ∧ (u, u′) ∈ L(T )⇒ u′ ∈ L(AM).


Outline



3. Experiments

4. Conclusion

Experiments - Integer Linear Systems

Petri Berkeley Synapse Lift Mesi

0.01

0.1

1

10Runtimein

seconds

CEG (SAT) ANG (SAT) T(O)RMC FASTer


Experiments - Token Ring

0 100 200 300 400

0.1

1

10

100

Size of I (# states)

Runtimein

seconds

CEGAR



0 100 200 300 400

0.1

1

10

100


Runtimein

seconds

CEGAR ANGLUIN



0 100 200 300 400

0.1

1

10

100


Runtimein

seconds

CEGAR ANGLUIN T(O)RMC


Outline



3. Experiments

4. Conclusion

Conclusion and Further Research

Summary

We presented a new technique for Regular Model Checking

based upon automata learning and logic solver.

Large sets of initial and bad con�gurations are approximated.

Experiments show competitiveness to other available tools.

Further Research

Possible directions of future research are

suitable non-regular representations of I and B,

nondeterministic automata as proofs, and

an incremental SAT approach.

An interesting extension would be to also approximate the

transducer.


Conclusion and Further Research

Summary

We presented a new technique for Regular Model Checking

based upon automata learning and logic solver.

Large sets of initial and bad con�gurations are approximated.

Experiments show competitiveness to other available tools.

Further Research

Possible directions of future research are

suitable non-regular representations of I and B,

nondeterministic automata as proofs, and

an incremental SAT approach.

An interesting extension would be to also approximate the

transducer.


Documents

Regular Model Checking Using Solver Technologies and ... · Regular Model Checking Using Solver echnologiesT and Automata Learning Daniel NeiderNils Jansen RWTH Aachen Universit,y