regular model checking

Regular Model Checking

Ahmed Bouajjani,Benget Jonsson, Marcus Nillson and Tayssir Touili

Moran Ben Tulila8.5.12

OutlineIntroductionProgram Model DefinitionAutomata Theoretic Construction of the

Transitive ClosureWidening Based Techniques Model Checking of -Regular PropertiesConclusion

About Regular Model Checking

A framework for algorithmic verification of infinite-state systems with e.g. queues,stacks,integers, or a parameterized linear (or ring-formed) topology

Considers systems whose states can be represented as finite strings of arbitrary length over a finite alphabet

We will focus on the problems of computing the set of states that are reachable from some set of initial states, and on computing the transitive closure of the transition relation

•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion

VerificationProblems

Computing Reachability Sets-

Computing Transitive Closure-


Motivation

The problem of verifying that a system satisfies a certain correctness property is usually reduced to checking some form of reachability problem on a transition system model of the system

Examples: mutual exclusion

Q: So, why not to use standard iteration-based methods?


finding loops of parameterized systems

The (Obvious) Answer:

Termination is not guaranteed for parameterized or infinite-state systems! -termination is guaranteed only if there is a bound on the distance (in number of transitions) from the initial configurations to any reachable configuration


Definitions•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion

• Regular Set-

• Cross Product-

Definitions (Cont.)•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion

• Regular Relation -

A regular relation can be conveniently recognized by a finite-state transducer

Definitions (Cont.)•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion

• Transducer-

Example: the token passing protocol

0 1 2

The transition relation can be represented by a finite set of actions, when each action is a regular relation between strings that can be represented by a finite-state transducer (as the one above)

Program Model•Introduction•Program Model Definition•Automata Theoretic Construction of the Transitive Closure•Widening Based Techniques •Model Checking of -Regular Properties•Conclusion

Example: the token passing protocol

Another Example of System Modeling

Systems communicating over unbounded FIFO channels


FIFO channel

…M1 M2 M3

Configurations are of the form:

Another Example of System Modeling (Cont.)

The system is modeled by:


Computing the Transitive Closure

We will present a technique for computing R+ by computing a minimal deterministic transducer that recognizes it

At this point – our construction is not guaranteed to terminate (in particular if R+ is not regular)

we’ll see how to deal with that problem in a few slides

From now on – assume R is a regular relation on


Computing the Transitive Closure (Cont.)

R regular R can be represented as a finite-state transducer:



In matrix form:



The first step in our construction will be to regard this matrix as a single run of another transducer

The new transducer’s states will be the columns of the matrix

The new transducer’s transitions will represent the relationship between adjacent columns in the matrix



We define the Column Transducer for R+ as the tuple n when:

- F+ is the set of non-empty sequences of accepting states of R


The column transducer for R+ accepts exactly the relation R+

Example

Recall our transducer for the transition relation of the token passing protocol :

Alphabet slightly changed


Example

The matching column transducer looks as follows:


But… The calculated transducer has infinitely many states

So, we will try to determinize it using the standard subset-construction, in the hope of decreasing the number of states


Reminder from Automata CourseSubset Construction –

standard method for converting a nondeterministic finite automaton (NFA) into a deterministic finite automaton (DFA) which recognizes the same formal language

applies most directly to an NFA that does not allow epsilon moves

For a NFA (Q, Σ, T, q0, F) in which Q is the set of states, Σ is the set of input symbols, T is the transition function ,q0 is the initial state, and F is the set of accepting states –

the matching DFA has states corresponding to subsets of Q. itsinitial state is {q0}, the transition function of the DFA maps a state S (representing a subset of Q) and an input symbol x to the set T(S,x) = ∪{T(q,x) | q ∈ Q} and a state S of the DFA is an accepting state if and only if at least one member of S is an accepting state of the NFA


Subset- Construction Example

For the NFA:


Subset- Construction Example (Cont.)

We get the following DFA:


Determinizing the Column Transducer

Let x,y range over columns and X,Y over sets of columns The subset construction applied to the column

transducer yields the automaton:


when:

Determinizing the Column Transducer (Cont.)

A few technical details:The transducer is constructed on-the-fly, starting from the

initial state and computing successors for each generated state X and pair of symbols (a,a’)

The construction terminates when no new states are generated

In most cases, the subset-construction does not yield a finite automaton


Determinizing the Column Transducer - Example Deterministic transducer built from the column

transducer for the token passing protocol:


Transducer’s Minimization As shown, the subset construction doesn’t necessarily

yield a finite automata Therefore, we try to make it smaller by identifying

equivalent sets of columns during the construction (and merging them)

We’ll define equivalent sets as the following:

Two sets X,Y of columns are equivalent if suff(X)=suff(Y)


Transducer’s Minimization (Cont.)

Detection of equivalent sets is based on saturation The basic idea-

Extend (saturate) each set X of columns by additional columns x such that

Hopefully, two equivalent sets of columns will become identical after saturation


Transducer’s Minimization (Cont.) Dedinition:

A state q in the original transducer R is a copying state if


Saturation Rule:

Transducer’s Minimization (Cont.)


If the set of reachable states in the automaton is finite, then R+ is regular and then, using standard techniques we can obtain a minimal deterministic finite-state transducer which recognizes R+

Transducer’s Minimization - Example

The minimal deterministic transducer accepting R+ for the token passing protocol is:


Termination It can be shown that R+ is regular under some sufficient

conditions on a regular relation R (so in that case our construction of R+ yields a finite-state transducer)

In order to characterize the class of regular relations R for which our transitive-closure works, we define a notion of local depth:


Termination (Cont.)


Intuitively, a relation with local depth k never needs to rewrite any element of a word more than k times to relate two words

For example:The transition relation in a parameterized system in which a

process passes a token to its right neighbor (token passing protocol) has local depth 2, since in an arbitrary execution sequence, each process is affected at most twice: When receiving the token When sending the token


Termination (Cont.)

With some modifications, this method enable us to compute as well


Computing Reachable Configurations

Used to speed up the calculation of a regular fixpoint Applied during the iterative construction of the set of

reachable configurations in order to help termination

Our technique consists in: guessing automatically the image of iterating a relation

starting from some given regular set deciding whether this guess is correct


Widening

A widening step consists in: guessing the result of iterating R starting from by

comparing to In general, this guess can be made by considering the sets up to some finite bound k Adding the obtained set (the guess) to the computed set of

configurations Continuing exploration of the configuration space


Computing Set of Reachable Configurations

( )iR


Computing Set of Reachable Configurations (Cont.)

Intuitively:C1 applying R to is to like “adding” between and

C2 ( is a fixpoint of and is the least fixpoint of F)


Computing Set of Reachable Configurations (Cont.)

Our work process: Given two regular sets and we need to find regular

sets such that C1 holds and check that condition C2 also holds for these sets

Notice that by adding to the computed set of configurations we capture at least all the reachable configurations from by iterating R. Nevertheless, the inclusion isn’t guaranteed by C2 (for any kind of regular relation R)

* *1 2 ( )R

Computing reachability set from initial configurations for the token passing protocol:


Computing Set of Reachable Configurations - Example

C1 holds since:

C2 holds since:

in this example, we apply an exact widening step by adding to the set of reachable configurations. By doing this, our procedure terminates and we get the result:

As stated before – our method doesn’t guarantee us finding the set of reachable configurations exactly

We will introduce a class of relations for which it can be shown that our widening technique is exact


Exact Widening


Exact Widening (Cont.)

A few definitions-



A few definitions (cont.) -



To prove this theorem we define:

Nathreian relations-

a length preserving relation R is natherian iff idR R



Then we can prove:


Constructing Transitive Closures

Widening technique can also be used to compute the transitive closure of a length preserving relation R


Verifying Properties

We will show how to reduce the problem of verifying a property specified by a Buchi automaton to the problem of computing the transitive closure

Based on the fact that detecting infinite sequences reduces to detecting loops

We can use this idea to verify that a program satisfies an ω-regular property under a set of fairness requirements


Verifying Properties (Cont.)

An ω-language consists of infinite words (ω-words), when each word can be viewed as function from N to Σ, with the value at i giving the symbol at position I

The set of all infinite words over Σ is denoted Σω

Thus, an ω-language L over Σ is a subset of Σω,

An ω-language L is ω-regular if it has the form: Aω where A is a nonempty regular language not containing the

empty string AB, the concatenation of a regular language A and an ω-

regular language B (Note that BA is not well-defined) A∪B where A and B are ω-regular languages (this rule can only

be applied finitely many times)



Every ω-regular language can be recognized by a Buchi automaton, when:



Our verification process: encode the negation of the property to be checked as a Buchi

automaton encode each fairness constraint as a Buchi automaton

(we can handle parameterized fairness requirements by associating one Buchi automaton with each position in the word, which expresses the fairness constraint for that position)

construct the product of the program with the Buchi automaton for the negation of the property, and the Buchi automata for the fairness requirements

check whether this product has a reachable “fair loop” in which each Buchi automaton visits an accepting state



Observer bit – one per Buchi automaton. Initialized to “false” in a reachable state and becomes “true”

whenever the Buchi automaton reaches an accepting state. Can never become “false” after being set to “true”

- transition relation containing both Buchi automata and observer bits

Fair loops can be detected by checking whether relates a reachable state with all observer bits being “false” with the same reachable state with all observer bits being “true”

augR

augR


Verifying Properties- Example

We want to verify the liveness property “every process eventually gets the token” of the token passing protocol:

The property negation is: “some process never gets the token” The negation can be expressed by a Buchi automaton

accepting an infinite sequence of states of a process where the token is never obtained

Encoded by adding a boolean variable r and changing transition relation and set of initial configurations so that: r is true at exactly one position in the word The truth value of r never changes in any position The token is never passed to the position where r holds


Verifying Properties- Example (Cont.)

The fairness constraint for each process is:The process may not hold the token indefinitely

And can be expressed by the Buchi automaton:

These Buchi automata are encoded by an extra variable s, initialized to s1 and ranging over {s1,s2}The transition relation is extended so that it includes s


Verifying Properties- Example (Cont.)

We can now check for fair infinite runs that violate the original property by checking the emptiness of the set:


Conclusion

Regular model checking – framework for algorithmic verification of parameterized and infinite-state systems

Automata theoretic construction of transitive closure of regular relation

Widening based techniques for computing set of reachable configurations

Implementation during verification

The End

regular model checking

Documents

techniques model checking

regualr model

transitive closurewidening

transition system model

set of states

infinitestate systems

finite set of actions

set of initial states