ACTAUNIVERSITATISUPSALIENSISUPPSALA2006

Digital Comprehensive Summaries of Uppsala Dissertationsfrom the Faculty of Science and Technology 187

Verification of Parameterizedand Timed Systems

Undecidability Results and Efficient Methods

JOHANN DENEUX

ISSN 1651-6214ISBN 91-554-6574-9urn:nbn:se:uu:diva-6891

List of Papers

This thesis is based on the following papers, which are referred to in the textby their Roman numerals.

I Parosh A. Abdulla, Johann Deneux, Joel Ouaknine, JamesWorrell. Decidability and Complexity Results for TimedAutomata via Channel Machines.A preliminary version of this paper appeared in Proc.ICALP’05, 32nd Int. Colloquium on Automata, Languages andProgramming, Lisbon, 2005.

II Parosh A. Abdulla, Johann Deneux, Lisa Kaati, Marcus Nilsson.Minimization of Non-Deterministic Automata with Large Alpha-bets.A preliminary version of this paper appeared in Proc. CIAA’05,10th International Conference on Implementation and Applica-tion of Automata, Sophia Antipolis, France, 2005

III Parosh A. Abdulla, Johann Deneux, Pritha Mahata. Networks ofIdentical Multi-Clock Timed Processes.This paper is based on Multi-Clock Timed Networks LICS’04,18th IEEE Int. Symp. on Logic in Computer Science, Helsinki,2004 and Open, Closed and Robust Timed Networks Proc.INFINITY’04: 6th International Workshop on Verification ofInfinite-State Systems, London, 2004, by the same autors.

IV Parosh A. Abdulla, Johann Deneux, Pritha Mahata, Aletta Nylen.Forward Reachability Analysis of Timed Petri Nets.A preliminary version appeared in Proc. Analysis of Timed Sys-tems (FORMATS), and Formal Techniques in Real-Time and FaultTolerant System (FTRTFT), Grenoble, France, 2004

Reprints were made with permission from the publishers.

3

Comments on my participation

I I participated in developing the proofs of the complexity result aswell as the undecidability result for Timed Automata with Büchiconditions.

II I participated in evaluating the complexity of the algorithm.III I participated in all proofs.IV I participated in all proofs, and implemented the tool.

Additional work by the author

• Johann Deneux and Ove Akerlund. A Common Framework for Design andSafety Analyses using Formal Methods. Proc. International Conferenceon Probabilistic Safety Assessment and Management (PSAM7/ESREL’04),June 2004, Berlin.

• Parosh Aziz Abdulla, Johann Deneux, and Ove Akerlund. Designing Safe,Reliable Systems using Scade. Proc. ISoLA’04, 1st International Sympo-sium on Leveraging Applications of Formal Methods, November 2004, Pa-phos, Cyprus.

4

Contents

1 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.1 Model checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.1.1 Modeling systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.1.2 Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.1.3 Reachability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152.1.4 Language inclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152.1.5 Verification of finite state systems . . . . . . . . . . . . . . . . . . 152.1.6 Verification of infinite state systems . . . . . . . . . . . . . . . . . 16

2.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.2.1 Paper I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.2.2 Paper II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.2.3 Paper III . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.2.4 Paper IV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.3 Open problems and future work . . . . . . . . . . . . . . . . . . . . . . . . 203 Swedish summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

1. Acknowledgements

This work was supported by the ASTEC competence center.I would like to thank Parosh, who provided interesting problems, suggested

solutions and thoroughly read and helped correct all proofs. This thesis wouldnot have been possible without you.

I spent roughly half of my time of my PhD studies working for Prover Tech-nology, a company focused on closing the gap between academic research andindustrial application. I am especially grateful to Ove for his ongoing friendlycollaboration.

I also want to thank my colleagues and friends, in order of appearance:Julien, Alexandre, Pritha, Kidane, Noomene, Ahmed, Lisa, Mayank, Thereseand Frederic. Without you, I would have never made it through dark wintersand late deadlines.

My thanks also go to all the people at the department, whom I met in read-ing courses, in the coffee room or other social events for their stimulatingdiscussions.

I also thank everyone in the administration staff, who has not only beenefficient but also flexible, and always happy to offer help.

My gratitude also goes to my family, who has always been there to help andsupport me, despite the numerous kilometers separating us.

7

2. Introduction

Since their invention, computer systems and software have been playing anever-increasing role in our lives. Yet even the strongest technology enthusiastskeep a sane distrust of all electronic equipment, all the more so if it containssoftware. Common complains against software are its instability and unrelia-bility.

An example of the severe consequences of bugs which is often cited is theexplosion of the Ariane 5 rocket on June 4th 1996. This bug was one of the 10worst bugs according to [30]. Other bugs found in this ranking include:• Two radiation therapy equipments deliver the wrong doses of rays, result-

ing in at least 13 deaths.• The bug in the floating point unit of Pentiums cost Intel $475 million.• The AT&T network outage of January 15, 1990 deprives 60 thousand cus-

tomers of long-distance service for 9 hours.• The first Internet worm takes advantage of a so-called buffer overflow in

the Berkeley Unix finger daemon. This kind of virus has now become com-mon, and is often used to silently spread software used to perpetrate attacksagainst popular web sites. Any Internet user can unknowingly take part inillegal activities.

Bugs affect our lives, potentially in a life-threatening manner. Software is oneof the very few products for which their manufacturers provide no guaranteeof any sort. One might say that when you buy software, you do not alwaysget what you paid for. Why do bugs thrive? Consider the following aspects ofmodern information systems:

They are distributed, meaning an operation as simple as retrieving cash froman ATM will involve several computers located in several geographical loca-tions.

Systems have an open architecture, which means that they are composed ofvarious pieces created by different authors, who often never met nor talked.For instance, Microsoft delivers the well-known operating system called Win-dows, but the drivers, the software which controls peripherals (keyboards,screens, mice...), is written by other companies, in general not affiliated toMicrosoft. What the user sees is actually a mixture of software written by alarge corporation capable of investing vast amount of money to develop stablesoftware, and several drivers, each capable of “crashing” a computer. Thesedrivers are often written by small companies whose area of expertise is afford-able hardware, as opposed to stable software.

9

Concurrent software performs several tasks simultaneously. This kind ofsoftware was once limited to intensive computations (such as complex phys-ical simulations) or servers (web servers, databases). Chip makers have an-nounced they will not be able to continue increasing the performance of futureprocessors by increasing their clock frequency. Instead, they include severalprocessors on a single chip. In order to take advantage of these, even soft-ware intended for home use has to become concurrent. Concurrent softwareis an order of magnitude harder to develop than traditional software, whichexecutes one operation at a time, one after another.

The main method used to find and correct bugs is testing and debugging.Debugging consists of running a program slowly, step by a step, allowingto examine the program’s inner private data. However, it is clear that thismethod has reached its limits. Testing was certainly sufficient for simple self-contained programs, but it becomes cumbersome in the case of large dis-tributed systems. It is inapplicable for open systems because the correctnessof the entire system depends on the correctness of additional software whichis not available to the tester. Testing concurrent software is feasible, but itsnon-deterministic nature makes it near to impossible to reproduce and correctbugs.

Instead of observing that a program, protocol or piece of hardware worksas expected in a limited number of scenarios, one could try to prove that itis correct in all possible scenarios. This other approach is called verification.The fact that proving is inherently harder than observing has limited its use.That is why a large research effort has been dedicated to making the processof formally verifying complex systems easier to use. This approach was suc-cessfully used in the following cases:• Linux is an operating system whose source code is available to everyone

for free. The rational for offering this unlimited access is that thousandsof educated users looking at a the source code of a program should pro-vide a good protection against bugs. However, formal verification recentlyexposed 985 bugs unnoticed until then (the list of bugs which have beencorrected is available at [1]).

• Microsoft has developed a tool that automatically catches bugs in drivers.This tool is available for free for drivers authors, and is accessible to pro-grammers without formal training [15, 3].

• Formal methods played a key role in the design of the first driver-less metroin Paris, METEOR. Safety critical software which controls the speed oftrains, safe opening of doors, was developed and proved safe using the Bmethod [18]

• Railway interlocking systems are responsible for avoiding collisions be-tween trains. They control when trains should be instructed to stop, andwhen they may move. Making sure that such systems are safe is obviouslyof vital importance. However, they must also satisfy minimal efficiency re-quirements. Indeed, an interlocking system which would instruct all trains

10

to stop would be perfectly safe, but would be useless. The use of formalmethods makes it possible to improve efficiency while maintaining safety[25, 19].There are two ways of developing correct systems using formal

methods: Write the specification first, then derive the implementationsemi-automatically from this formal specification [14, 13]; or builda simplified model of a system, either manually or by extracting itautomatically from a prototype implementation, and verify it using modelchecking.

This thesis focuses on model checking, the method at the heart of the secondapproach.

2.1 Model checkingThe goal of model checking is to answer the question “Does the system sat-isfy its requirements?”. Answering this question automatically requires theconstruction of a formal model of the system, and a formal specification of itsrequirements.

2.1.1 Modeling systemsModels are labeled transition systems, composed of states and transitions. Astate is a snapshot of the whole system at a given moment in time. Transitionsspecify how the system moves from a state to another. Formally, a labeledtransition system M is a tuple (A,S,T,s0) where• A is the set of labels, which are usually short-hand notations for actions

performed by the system;• S is the set of states;• T ⊆ S×S×A is the transition relation. M can move from s1 to s2 perform-

ing action a if (s1,s2,a) ∈ T ;• s0 is the initial state.

A run is a (possibly infinite) sequence of state-label pairs (s0,a0)(s1,a1) . . .such that s0 is the initial state, and for all 0 ≤ i : (si,si+1,ai) ∈ T . A run is anexecution of the labeled transition system.

Systems are modeled in higher-level languages, which can be translated totransitions systems.

Finite State Machines (FSM) [2] are used to design digital circuits and con-trol software. They are composed of states, transitions and actions. The trans-lation from FSMs to labeled transitions systems is straight-forward.

There are situations when timing is important. To model such systems, onecan use Timed Automata [11], which can be simply described as “FSMs withtimers”.

11

C

B

A

open door, x := 0

x > 10 −> no obstacle

close door obstacle detected

Figure 2.1: Timed automaton representing an automatic door

T T

T

open door

no obstacle close door

A 0.0 A 1.23 A 12.0

B 3.14B 0.0

B 12.0

C 12.0

T

Figure 2.2: A part of the transition system induced by the model in Figure 2.1

Figure 2.1 shows a simple timed automaton modeling an automatic door, ofthe kind one can find on buses. It states that the door should remain open forat least 10 seconds, and then close, provided no object or person blocks it.

Figure 2.2 shows a small part of the induced transition system. Round boxesdenote states. The name of each state corresponds to a snapshot of the system,showing the state of the FSM and the value of the clock. Arrows representtransitions. They are labeled with T, for transitions due to the passing of time,or by an action of the door together with a condition on the clock, usuallycalled guard.

Distributed systems are composed of several processes, which are spreadover several locations. Each process runs mostly independently, but needs tosynchronize or communicate with other processes. Petri Nets [49] are capableto model such systems. They simulate the behavior of families of identicalFSMs. The power of Petri Nets resides in the fact that their size does notdepend on the number of processes, rather on their complexity.

Figure 2.3 shows a Petri Net modeling mutual exclusion. Locations namedI, W and CS are process states. A process in state I is not requiring access to

12

I

M CSW

acq

enter

rel

die1

die2 die3

create

Figure 2.3: Petri Net modeling mutual exclusion

0001

0201 1010

0110

0010

1001

0101

0010

acq

enter

rel

create

die1

die2

0000

2001

1101

create

die1

die1

die2

die2die1

acq

acq

die2 enter rel

0100

die3

die2 die3

die2

die3

enter

rel

acq

die1

Figure 2.4: A part of the transition system induced by the model in Figure 2.3

the critical resource. After requiring access, it enters state W, where it waitsto be granted a lock. When it happens, the process moves to CS, where it hasexclusive access to the resource. After releasing the resource, it goes backto I. New processes may be spawned at any time, which is made possibleby transition create. Processes may also die at any time, for reasons notmodeled in the Petri Net. Transitions die1, die2 and die3 model theseuncontrollable events. Finally location M models the state of the lock.

Figure 2.4 shows a small part of the transition system induced by Figure2.3. Each round box is a state of the transition system. Its name indicates thenumber of tokens in locations I, W, CS and M respectively. One can observetwo interesting properties of the system. First, it would seem that the mutualexclusion property might hold, since e.g. states xx2x (where x stands for anynumber) do not seem to be reachable from the initial state (0001). However,since the entire transition system is not drawn, one cannot yet be sure that

13

mutual exclusion is guaranteed. Secondly, the system can enter a state whereit becomes impossible to be granted access to the resource. This happens if aprocess dies while holding the lock.

In order to circumvent this problem, a common technique consists of addingtimeouts: No process may hold a lock for more than a certain fixed amount oftime. After this time has elapsed, it is assumed that the processes holding thelock is dead, and the lock is released, so that another process may enter thecritical section. To model this system, one needs a formalism which includesclocks, e.g. timed Petri Nets (see [20] for a survey).

2.1.2 SpecificationsModel checking also requires a formal specification of the requirements of thesystem. The two most common type of requirements are safety properties andliveness. The former describe what the system must not do, the latter state thatit must always remain responsive.

The following methods are available to specify requirements:• Specify conditions which the system must avoid, which amounts to specify

a set of states which the model must never enter. This method is suitable forexpressing the simplest safety properties, e.g. “No computation attempts adivision by zero”.

• Describe all safe executions of the system by specifying sequences of ac-tions, also called traces or words, using Linear Temporal Logic (LTL). Al-ternatively, one can also specify executions corresponding to unwanted be-haviors. This method is suitable for safety properties, e.g. “Whenever thepump is activated, its input valve is open”, and for liveness, e.g. “The sys-tem always eventually becomes ready to handle new requests”.

• Branching time logics can specify both safety properties and liveness. Theydiffer from LTL in their capability to express modality, e.g. “The system isalways capable to interrupt its current task and handle urgent requests”.Model checking consists of answering the question “Does the model satisfy

the specification?”. Additionally, a model checker is often capable of provid-ing a proof, or explanation of the answer. Considering the three specificationmethods mentioned previously:• Can the model reach a bad state in the specification? If yes, produce a trace

(a sequence of states through which the model successively goes) reachingthe state in question. If not, produce an invariant which does not intersectthe specification.

• Do all runs of the model correspond to a trace in the specification? If not arun which exhibits an unsafe behavior of the system is produced.

• Does the initial state of the labeled transition system satisfy the formula?In either case, a witness is a computation tree, which can be seen as a partof the transition system.

14

We will now shortly outline the main ideas underlying model checking ofthe two first types of specifications.

2.1.3 ReachabilityThe problem of verifying systems with requirements of the first type is knownas the reachability problem. A solution consists of computing the set of statesreachable from the initial state, and checking if it includes the bad state. It canalso be solved using the opposite approach: Start from the bad state, and com-pute the set of states which can reach this bad state, then check if it includesthe initial state.

2.1.4 Language inclusionVerifying systems with requirements specified using the second method canbe done by solving the language inclusion problem [57]. An automaton is alabeled transition system equipped with accepting conditions. The languageof an automaton is the set of sequence of labels (words) accepted by thisautomaton. An automaton accepts a word if its underlying transition systemhas a run whose sequence of labels matches the word, and the run satisfies theacceptance condition.

The language inclusion problem consists of determining if the language ofan automaton is included in the language of another automaton. A simple formof acceptance condition consists of a set of so-called accepting states. A finiterun satisfies this kind of condition if its last state is accepting. Büchi conditionsare finite set of states. In order for an infinite run to satisfy these conditions, itmust go through accepting states infinitely often.

The former kind of conditions is suitable for expressing some safety proper-ties, while the latter can be used for liveness requirements, typically used forreactive systems. These systems run continuously, and must always remaincapable of serving requests.

Transition systems fall into two distinct categories depending on the numberof states: Finite and infinite state systems.

2.1.5 Verification of finite state systemsFinite state systems include FSMs, FSMs with bounded communication chan-nels, FSMs with variables ranging over finite data types, safe Petri Nets...

Such systems can be verified using techniques first introduced in [27, 51].However, these techniques suffer from the state space explosion problem,which is due to the fact that even seemingly small systems can have very largestate spaces. Indeed the number of states grows exponentially with the size ofthe system. For instance, a digital circuit operating on registers n bits wide hasa number of different states in the order of 2n. Such large state spaces cannot

15

be stored in a single computer’s memory. Moreover, even efficient algorithmswhich run in time linear to the state space take too much time to be usable.

The following directions have been suggested to tackle these problems:• Distributed model checking spreads the workload on a network of comput-

ers, which gives access to larger amounts of memory [10, 42, 24, 44, 54,17, 21, 41, 35].

• Symbolic model checking avoids representing explicitly each state. In-stead, it uses symbolic representations to represent large sets of states com-pactly [22, 23].

• Algorithms which explore paths through the state space, typically used toverify requirements of the second type, can take advantage of the fact thatmany paths may be equivalent. This happens for instance in models of con-current systems. Partial order reduction techniques observe that all inter-leavings of independent actions need not be considered [56, 48, 33].

• Compositional reasoning is an application of the “divide and conquer”paradigm: Prove the correctness of a large system by proving the correct-ness of its individual subsystems, which are smaller. Then deduce the cor-rectness of the large system from the correctness of its subsystems [28, 34,36, 43, 50].

• Abstraction reduces the state space by mapping several states to so-calledabstract states. The resulting abstract transition system is smaller and canhopefully be verified. If the mapping was wisely chosen, the conclusionsfrom the verification on the abstract system extend to the original system.This method takes advantage of the fact that in order to reason about spe-cific properties of a system, one need not consider every single detail of thesaid system. The abstract mapping can be computed automatically usingcounter-example driven refinement[26, 39, 52, 16, 40].

2.1.6 Verification of infinite state systemsInfinite state systems are transitions systems whose sets of states are infinite.This category can be further divided into several overlapping classes, accord-ing to causes of infiniteness:• Unbounded data types, such as real-valued clocks (used to model processes

with real-time constraints [11]), unbounded communication channels (usedfor communication protocols) [7, 29], real-valued variables, e.g. hybrid au-tomata [38].

• Parameterized systems [32, 8], where the parameter can be the number ofcomputers in a network, the number of tasks running on a computer. Al-though this parameter has a finite value, one is typically interested in thecorrectness of the system regardless of the value of the parameter. Veri-fying the system for each value of the parameter is often not affordable,or impossible if the range of the parameter is infinite. Petri Nets and theirderivatives constitute a well-known class of such parameterized systems.

16

Additionally, large finite state systems are sometimes viewed as infinite statesystems.

The main problem with verification of infinite state systems is themathematical impossibility of verification of many properties of interest,such as reachability. For example, the halting problem for Turing machines[55], control-state reachability for Minsky machines [46] and some classes ofhybrid systems [12] are undecidable.

Research challenges consist of• identifying classes of systems and specifications for which verification is

decidable,• designing efficient algorithms for these,• identifying undecidable problems,• designing semi-algorithms to verify systems of practical relevance.

Symbolic representations were first used to combat the state space explo-sion problem in the case of finite state systems: Large sets of states could berepresented by a concise symbolic notation. Since symbolic representationsare also capable of representing infinite sets, they can be used to verify infi-nite state systems.

Finite symbolic spaceIf the symbolic state space is finite, the verification problem can now be solvedusing techniques from the realm of finite state systems: By explicitly exploringthe finite symbolic state space, or by using symbolic representations at anotherlevel to efficiently explore the symbolic state space.

To illustrate this, consider the problem of reachability for timed automata[11]. The state of a timed automaton is composed of a control location andthe exact values of each clock. Since clock may have any real value, the statespace is infinite. It is possible to partition this infinite state space into a finiteset of so-called regions. Each concrete state in a region is equivalent to allother states in the same region with respect to reachability. In other words,the timed automaton induces a transition system operating on this finite set ofregions, such that the original automaton can reach a state if and only if theunderlying region-based transition system can reach the region to which theconcrete state belongs.

In theory, the original problem can now be solved by exploring the set ofreachable regions. However, even if the set is finite, it is often still to big forthis method to be usable in practice. To overcome this difficulty, it is possibleto use a compact symbolic representation of sets of regions, called zones. Theproblem then becomes solvable in practice, using symbolic model checking.One can consider that symbolic representations were used a two levels: once torepresent infinite sets of concrete states as regions, then to compactly representlarge sets of regions.

17

Monotonic Transition SystemsThere are situations where the symbolic state space is still infinite. However,if the system is a monotonic transition system (MTS) [5], the problem of de-ciding if a set of bad states is reachable from the initial states is decidable.MTS have the property that there exists a simulation between states which isa well-quasi-order.

A state s is said to simulate a state t, written t � s, if the system, when instate s, can perform all actions it can perform when in state t. Moreover, thestate s′ reached from s simulates the state t ′ reached from t.

Informally, the system can do more when in state s than when in state t.A simulation � is a well-quasi order if all infinite sequences of states

s0,s1, . . . are doomed to have at least a pair of states si,s j with i < j such thatsi � s j.

For instance, Petri Nets are MTS. A state is a marking, a record of howmany tokens are present in each location. A state M simulates another state Nif the number of tokens in each location in M is not smaller than the numberof tokens in locations in N. This simulation relation is a well-quasi ordering:It is impossible to build an infinite sequence of markings M0,M1, . . . such thatno marking Mj simulates an earlier marking Mi (with i < j). In other words,all infinite sequences of markings are doomed to contain a marking whichsimulates another marking appearing earlier in the sequence.

The problem is solved by running the system “backwards” from the set ofbad states. This process computes the pre-image of the bad states, i.e. the statesfrom which the bad states can be reached. At iteration i, we have computedthe set of states Pi which can reach the bad states within i states. We can stopthe computation when Pi includes the initial state, or when all states in Pi aresimulated by states in Pi−1.

Because of the well-quasi-orderedness of the simulation relation, this pro-cess is known to terminate.

Semi-algorithmsFinally, there are also cases where the symbolic state space is infinite, and thesystem is not an MTS.

This situation is not hopeless, since it may still be possible to design semi-algorithms that terminate on many systems, which model real software or pro-tocols. Even though said semi-algorithms are not guaranteed to terminate, theymay still be capable of verifying many systems of practical interest.

A popular technique is forward reachability using acceleration. This tech-nique consists of running symbolically the system from the initial states, com-puting the effect of large sequences of transitions in one computation step. Inpractice, this technique can outperform backward reachability, which makesit an interesting option to consider, even when verifying MTS.

18

2.2 Contributions2.2.1 Paper IA powerful method of verification consists of using two automata. One for thespecification, the other for the model of the system. The system is consideredcorrect if the language of the second automaton is included in the language ofthe first.

A simpler version of this problem is to answer the question “Is the languageof a given timed automaton the set of all traces?”

We show this problem to have non-primitive recursive time complexity inthe case where we consider Timed Automata with one clock, and undecidablefor Timed Automata with at least two clocks, Timed Automata with a singleclock and non-deterministic resets, and Timed Automata with a single clockand silent transitions.

This negative result applies also to the more complex original problem. Wealso show that for Timed Automata with Büchi conditions, the universalityproblem is undecidable even when only one clock is used.

These results are obtained by reduction from the reachability problem forchannel machines. The problem is solvable, but hard, for lossy channel ma-chines, as shown in [53]. The problem is undecidable for perfect channel ma-chines, since they can simulate Turing Machines.

2.2.2 Paper IIRegular model checking allows to verify parameterized systems. This methoduses regular expressions to represent both states and the transition relation.Regular expressions are represented using non-deterministic finite automata.For efficiency reasons, it is important that these be as small as possible.

Minimizing non-deterministic automata is hard [45]. To tackle this prob-lem, one can minimize with respect to bisimilarity, instead of language equiv-alence. The partition refinement algorithm presented in [47] solves the prob-lem efficiently, but it assumes an alphabet of size one. Regular model checkinggenerates automata with alphabets so large that representing sets of actionsmust be done symbolically, for instance using ROBDDs [22].

We designed a minimization algorithm based on Paige and Tarjan’s which iscapable of handling automata with large alphabets represented using decisiondiagrams.

2.2.3 Paper IIINetworks of identical processes with one clock each are very similar to timedPetri Nets. Reachability analysis can be done using the techniques in [8]. Weshow that when each process is allowed two clocks or more, the reachability

19

problem becomes undecidable. It is however possible to render the problemdecidable by adding restrictions:• Clocks are discrete, meaning their values range over the set of integers.• Closed timed networks may only use non-strict constraints. In that case the

problem can be reduced to the case where clocks are discrete.Networks which do not have these restrictions have an expressive power whichmay seem excessive. Indeed, it is possible to distinguish between traces witharbitrarily small precision. Since no real system may achieve such a level ofprecision, it is reasonable to limit expressiveness, either by using the afore-mentioned restrictions, or by introducing fuzziness at the semantic level, usingthe notion of robust languages as defined in [37]. We show that this semanticadjustment fails to render the problem decidable for timed networks. Actuallyreachability for robust closed timed networks is undecidable, even though theproblem for closed timed networks is decidable.

2.2.4 Paper IVAlthough reachability analysis of Lossy Channel Systems is decidable [6], thebackward algorithm has a high complexity [53]. In [4] an efficient forwardapproach is described. Although this second approach is a semi-algorithm,meaning it is not guaranteed to terminate in general, it uses a accelerationto quickly reach a conclusion on systems of practical relevance. Accelerationconsists of computing the effect of large (possibly unbounded) sequences ofactions in a single computation step.

We apply the same paradigm to timed Petri Nets. The coverability problemfor timed Petri Nets can be solved by computing pre-images of the set ofbad states [9]. We devised a semi-algorithm which uses a forward approachwith acceleration. Compared to the backward approach, this solution has theadvantage of computing an abstract model which simulates the original one.This abstraction is exact with respect to coverability, which means that it doesnot find false positives. The abstract model, which is built once, can be queriedmultiple times, as opposed to the backward approach, which requires a newcostly computation for each requirement.

2.3 Open problems and future workThe semi-algorithm we presented in paper IV suffers from the “region-generator space explosion” problem. The number of constraints generatedgrows quickly. This problem can be overcome using zones, which arecompact representations of sets of regions. [9] introduces existential zones,which are used to improve the performance of the backward coverabilityalgorithm. We will improve this semi-algorithm to use “zone generators”.

20

In [31], forward coverability and abstraction are combined to build a frame-work where the coverability problem for MTS can be decided. Early experi-ments seem encouraging. Inserting zone generators into this framework mayyield a new efficient tool to verify timed Petri Nets.

Networks of processes with one clock are very close in their behavior totimed Petri Nets. We plan to adapt the forward coverability algorithm to suchnetworks.

Even though the controller-state reachability of timed networks with twoclocks is undecidable, it may be possible to design efficient semi-algorithms.On the other hand, this problem is decidable if we add the restriction that clockconstraints be non-strict. Designing an efficient algorithm remains to be done.

21

3. Swedish summary

Verifiering av parametriserade tidsberoende systemOavgörbarhet och effektiva metoder

Mjukvara finns numera i en mängd apparater som till exempel mobiltele-foner, mediaspelare, medicinsk utrustning, bilar och flygplan. Dessa systemförväntas fungera pålitligt och effektivt utan avbrott i flera månader. En kri-tisk utmaning är därför att designa verifieringsmetoder, det vill säga metodersom försäkrar pålitlighet och korrekthet. Den här avhandlingen fokuserar påen speciell del av verifieringen av program, nämligen modellkontroll (modelchecking).

För att kontrollera ett system använder man en abstrakt modell av systemettillsammans med en mängd egenskaper (en specifikation) som systemet skauppfylla. Uppgiften är sedan att automatiskt ge ett besked om huruvida sys-temet överensstämmer med specifikationen.

Vi kommer att koncentrera oss på två klasser av system, nämligen (i) systemdär det ingår tid, och (ii) parametriserade system.

När mjukvara används för att kontrollera maskiner är det viktigt att försäkrasig om att mjukvaran aldrig har fördröjningar eller exekverar snabbare än vadden kontrollerade hårdvaran kan tolerera. Sådana system kallas tidssystem ochför att verifiera dem kan man använda den klassiska modellen för tidsauto-mater (timed automata).

I detta sammanhang kan korrekthet översättas till språkinklusion mellan tvåautomater som representerar implementationen och specifikationen.

Vi presenterar de teoretiska svårigheterna utifrån denna utgångspunkt: vivisar att språkuniversalitet, som är ett enklare problem, inte har primitiv rekur-siv komplexitet när man utgår från ändliga körningar av tidsautomater med enklocka. När många klockor, tysta transitioner eller ickedeterministisk återställ-ning är tillåtna så visar vi att universalitetsproblemet är oavgörbart. Problemetär också oavgörbart för automater med Büchi-villkor och endast en klocka.

Ett parametriserat system innehåller ett variabelt antal komponenter. Inter-net (eller något av dess delnät) är ett exempel på ett sådant system. Problemetär att verifiera korrekthet av protokoll och algoritmer som nätverket använder,oavsett antalet noder i systemet.

En viktig metod i verifieringen av parametriserade system är reguljär mod-ellkontroll (regular model checking, RMC).

23

RMC använder automater med ett ändligt antal tillstånd som en symboliskrepresentation av mängder av tillstånd som kan vara oändliga.

För att öka användbarheten är det viktigt att konstruera algoritmer someffektivt minimerar automater. Vi presenterar en halv-symbolisk metod somkombinerar en algoritm av Paige och Tarjan med beslutsdiagram som användsför att representera stora mängder symboler på ett kompakt sätt.

Slutligen behandlar vi system som innehåller både tidsaspekter ochär parametriserade. Vi studerar två relaterade modeller: tids-Petrinät(timed Petri net, TPN) och tidsnätverk (Timed Network, TN). TPN är enutvidgning av den klassiska Petrinätmodellen. Vi presenterar en metodför att verifiera säkerhetsegenskaper för tids-Petrinät med framåtanalys.Eftersom framåtanalys inte nödvändigtvis är fullständig så tillhandahåller vien semialgoritm utvidgad med accelerationstekniker för att terminering skaske oftare i paraktiken.

I ett TN körs ett godtycklig antal tidsautomater parallellt. Vi visar oavgör-barhet för säkerhetsegenskaper då varje komponent har två eller fler klockor.Vi undersöker variationer av detta problem som är avgörbara. Exempelvis ärproblemet avgörbart om tiden som klockorna visar är diskret, eller om viförbjuder strikta jämförelser av klockornas värden. Sådana restriktioner ärinte orealistiska eftersom digitala tidtagarur, verklighetens motsvarighet tillklockor med reella värden, i själva verket är diskreta.

24

Bibliography

[1] Coverity website. http://linuxbugs.coverity.com/.

[2] Finite state machine. Entry in Wikipedia. Available athttp://en.wikipedia.org/wiki/Finite_state_machine.

[3] Slam project. http://research.microsoft.com/slam/.

[4] Parosh Aziz Abdulla, Ahmed Bouajjani, and Bengt Jonsson. On-the-fly analysisof systems with unbounded, lossy fifo channels. In Proc. 10th Int. Conf. onComputer Aided Verification, volume 1427 of Lecture Notes in ComputerScience, pages 305–318, 1998.

[5] Parosh Aziz Abdulla, Karlis Cerans, Bengt Jonsson, and Tsay Yih-Kuen. Al-gorithmic analysis of programs with well quasi-ordered domains. Informationand Computation, 160:109–127, 2000.

[6] Parosh Aziz Abdulla and Bengt Jonsson. Verifying programs with unreliablechannels. In Proc. LICS’ 93 8th IEEE Int. Symp. on Logic in ComputerScience, pages 160–170, 1993.

[7] Parosh Aziz Abdulla and Bengt Jonsson. Verifying programs with unreliablechannels. Information and Computation, 127(2):91–101, 1996. A Prelimi-nary Version appeared in Proc. 8st IEEE Int. Symp. on Logic in Computer Sci-ence.

[8] Parosh Aziz Abdulla and Bengt Jonsson. Verifying networks of timed processes.In Bernhard Steffen, editor, Proc. TACAS ’98, 4th Int. Conf. on Tools andAlgorithms for the Construction and Analysis of Systems, volume 1384 ofLecture Notes in Computer Science, pages 298–312, 1998.

[9] Parosh Aziz Abdulla and Aletta Nylen. Better is better than well: On efficientverification of infinite-state systems. In Proc. LICS’ 00 16th IEEE Int. Symp.on Logic in Computer Science, pages 132–140, 2000.

[10] S. Aggarwal, R. Alonso, and C. Courcoubetis. Distributed reachability analysisfor protocol verification environments. In Discrete Event Systems: Modelsand Applications, IIASA Conference, pages 40–56, 1987.

[11] R. Alur and D. Dill. A theory of timed automata. Theoretical ComputerScience, 126:183–235, 1994.

25

[12] E. Asarin and O. Maler. On some relations between dynamical systems andtransition systems. In Abiteboul and Shamir, editors, Proc. ICALP ’94, 21st

International Colloquium on Automata, Lnaguages, and Programming,volume 820 of Lecture Notes in Computer Science, pages 59–72. SpringerVerlag, 1994.

[13] E. Asarin, O. Maler, and A. Pnueli. Symbolic controller synthesis for discreteand timed systems. In A. Nerode P. Antsaklis, W. Kohn and S. Sastry, edi-tors, Hybrid Systems II, volume 999 of Lecture Notes in Computer Science,pages 1–20. Springer Verlag, 1995.

[14] E. Asarin, O. Maler, and J. Sifakis. On the synthesis of discrete controllers fortimed systems. In E.W. Mayr and C. Puech, editors, Proc. STACS’95, Symp.on Theoretical Aspects of Computer Science, volume 900 of Lecture Notesin Computer Science, pages 229–242. Springer Verlag, 1995.

[15] T. Ball, B. Cook, V. Levin, and S.K. Rajamani. Slam and static driver verifier:technology transfer of formal methods inside microsoft. In Integrated FormalMethods, 2004.

[16] T. Ball and S.K. Rajamani. Automatically validating temporal safety propertiesof interfaces. In SPIN Workshop, volume 2057 of LNCS, pages 103–122.Springer, 2001.

[17] J. Barnat, L. Brim, and J. Stribrna. Distributed ltl model checking in SPIN. In8th Int. SPIN Workshop, volume 2057 of LNCS. Springer-Verlag, 2001.

[18] Patrick Behm, Paul Benoit, Alain Faivre, and Jean-Marc Meynadier. Meteor: Asuccessful application of b in a large project. In Proc. FM’99 - Formal Meth-ods: World Congress on Formal Methods in the Development of Comput-ing Systems, volume 1708 of LNCS, page 369, September 1999.

[19] Arne Borälv. Case study: Formal verification of a computerized railway inter-locking. Formal Aspects of Computing, 10(4):338–360, April 1998.

[20] F. D. J. Bowden. Modelling time in Petri nets. In Proc. Second Australian-Japan Workshop on Stochastic Models, 1996.

[21] L. Brim, I. Cerna, P. Krcal, and R. Pelanek. Distributed LTL model checkingbased on negative cycle detection. In Proc. of the FSTTCS Conference, 2001.

[22] R.E. Bryant. Graph-based algorithms for boolean function manipulation. IEEETrans. on Computers, C-35(8):677–691, Aug. 1986.

[23] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, and L.J. Hwang. Symbolicmodel checking: 1020 states and beyond. In Proc. LICS’ 90, 5th IEEE Int.Symp. on Logic in Computer Science, 1990.

26

[24] Gianfranco Ciardo, Joshua Gluckman, and David Nicol. Distributed state-spacegeneration of discrete-state stochastic models. Technical Report TR-95-75,1995.

[25] Alessandro Cimatti, Fausto Giunchiglia, Giorgio Mongardi, Dario Romano, Fer-nando Torielli, and Paolo traverso. Formal verification of a railway interlockingsystem using model checking. Formal Aspects of Computing, 10(4):361–380,April 1998.

[26] Edmund M. Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith.Counterexample-guided abstraction refinement. In Proc. 12th Int. Conf. onComputer Aided Verification, pages 154–169, 2000.

[27] E.M. Clarke, E.A. Emerson, and A.P. Sistla. Automatic verification of finite-state concurrent systems using temporal logic specification. ACM Trans. onProgramming Languages and Systems, 8(2):244–263, April 1986.

[28] E.M. Clarke, D.E. Long, and K.L. McMillan. A language for compositionalspecification and verification of finite state hardware controllers. In Proc. of the9th International Symposium on Computer Hardware Description Lan-guages and Their Applications, pages 281–295, 1989.

[29] A. Finkel. Decidability of the termination problem for completely specifiedprotocols. Distributed Computing, 7(3), 1994.

[30] Simson Garfinkel. History’s worst software bugs. Ar-ticle in Wired News, November 2005. Available athttp://www.wired.com/news/technology/technology/bugs/0,69355-0.html.

[31] Gilles Geeraerts, Jean-François Raskin, and Laurent Van Begin. Expand, en-large, and check: New algorithms for the coverability problem of wsts. In Proc.Foundations of Software Technology and Theoretical Computer Science,volume 3328 of LNCS, page 287, 2004.

[32] S. M. German and A. P. Sistla. Reasoning about systems with many processes.Journal of the ACM, 39(3):675–735, 1992.

[33] P. Godefroid and P. Wolper. A partial approach to model checking. In Proc.LICS’ 91 6th IEEE Int. Symp. on Logic in Computer Science, 1991.

[34] S. Graf and B. Steffen. Compositional minimization of finite state processes,1990.

[35] O. Grumberg, T. Heyman, and A. Schuster. Distributed symbolic model check-ing for the mu-calculus. In Int. Conf. on Computer Aided Verification, July2001.

27

[36] O. Grumberg and D.E. Long. Model checking and modular verification. InJ.C.M. Baseten and J.F. Groote, editors, Proc. CONCUR ’91, Theories ofConcurrency: Unification and Extension, volume 527 of Lecture Notes inComputer Science, pages 250–265, Amsterdam, Holland, 1991. Springer Ver-lag.

[37] V. Gupta, T. Henzinger, and R. Jagadesan. Robust timed automata. In In Proc.of HART’ 97, volume 1201 of Lecture Notes in Computer Science, pages331–345, 1997.

[38] T.A. Henzinger. Hybrid automata with finite bisimulations. In Proc. ICALP’95, 22nd International Colloquium on Automata, Lnaguages, and Pro-gramming, 1995.

[39] Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Gregoire Sutre. Lazyabstraction. In Symposium on Principles of Programming Languages,pages 58–70, 2002.

[40] Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Grégoire Sutre. Soft-ware verification with blast. In Model Checking Software: 10th Interna-tional SPIN Workshop, volume 2648 of LNCS, pages 235–239, January 2003.

[41] T. Heyman, D. Geist, O. Grumberg, and A. Schuster. Achieving scalability inparallel reachability analysis of very large circuits. In 12th Int. Conf. on Com-puter Aided Verification, volume 1855 of LNCS, pages 20–35, June 2000.

[42] N. Kumar and R. Vemuri. Finite state machine verification on MIMD machines.In European Design Automation Conference, pages 514–520, 1992.

[43] K.G. Larsen. Modal specifications. In Sifakis, editor, Proc. Workshop onComputer Aided Verification, volume 407 of Lecture Notes in ComputerScience, pages 232–246. Springer Verlag, 1989.

[44] F. Lerda and R. Sisto. Distributed-memory model checking with SPIN. In 6thInt. SPIN Workshop, volume 1680 of LNCS. Springer-Verlag, 1999.

[45] A.R. Meyer and L.J. Stockmeyer. The equivalence problem for regular expres-sions with squaring requires exponential space. In Proc. 13th Ann. IEEESymp. on Switching and Automata Theory, pages 125–129, 1972.

[46] M. Minsky. Computation: Finite and Infinite Machines. Prentice-Hall, 1967.

[47] R. Paige and R.E. Tarjan. Three partition refinement algorithms. SIAM Journalof Computing, 16(6):973–989, 1987.

[48] D. Peled. All from one, one for all, on model-checking using representatives. InProc. 5th Int. Conf. on Computer Aided Verification, volume 697 of LectureNotes in Computer Science, pages 409–423. Springer-Verlag, 1993.

28

[49] C.A. Petri. Kommunikation mit Automaten. PhD thesis, University of Bonn,1962.

[50] A. Pnueli. in transition from global to modular temporal reasoning about pro-grams. Technical Report CS-85-05, Weizmann institute, May 1985.

[51] J.P. Queille and J. Sifakis. Specification and verification of concurrent systemsin cesar. In 5th International Symposium on Programming, Turin, volume137 of Lecture Notes in Computer Science, pages 337–352. Springer Verlag,1982.

[52] Hassen Saïdi. Model checking guided abstraction and analysis. In Proc. 7thInternational Static Analysis Symposium, July 2000.

[53] Ph. Schnoebelen. Verifying lossy channel systems has nonprimitive recursivecomplexity. Information Processing Letters, 83(5):251–261, 2002.

[54] U. Stern and D.L. Dill. Parallelizing the murphi verifier. Formal Methods inSystem Design, 18(2):117–129, 2001.

[55] A.M. Turing. On computable numbers, with an application to the entschei-dungsproblem. In Proc. of the London Mathematical Society, volume 42,pages 230–265, 1936.

[56] A. Valmari. Stubborn sets for reduced state space generation. In Advances inPetri Nets, volume 483 of Lecture Notes in Computer Science, pages 491–515. Springer-Verlag, 1990.

[57] M. Y. Vardi and P. Wolper. An automata-theoretic approach to automatic pro-gram verification. In Proc. LICS’86, pages 332–344. IEEE Computer SocietyPress, 1986.

29

Acta Universitatis UpsaliensisDigital Comprehensive Summaries of Uppsala Dissertationsfrom the Faculty of Science and Technology 187

Editor: The Dean of the Faculty of Science and Technology

A doctoral dissertation from the Faculty of Science andTechnology, Uppsala University, is usually a summary of anumber of papers. A few copies of the complete dissertationare kept at major Swedish research libraries, while thesummary alone is distributed internationally through theseries Digital Comprehensive Summaries of UppsalaDissertations from the Faculty of Science and Technology.(Prior to January, 2005, the series was published under thetitle “Comprehensive Summaries of Uppsala Dissertationsfrom the Faculty of Science and Technology”.)

Distribution: publications.uu.seurn:nbn:se:uu:diva-6891

ACTAUNIVERSITATISUPSALIENSISUPPSALA2006