Verification of Infinite-State Systems Ahmed Bouajjani LIAFA - - PowerPoint PPT Presentation

Verification of Infinite-State Systems Ahmed Bouajjani LIAFA - University of Paris 7 Genova - November 2002 1

Why Consider Infinite-State Systems ? Real-time Constraints Embedded systems, telecommunication protocols, etc. Infinite Data Domains - Unbounded Data Structures Counters, queues, etc. Unbounded Control Structures Recursive calls, dynamic creation of processes, mobility, etc. Parametrization Parametric bounds, networks of arbitrary number of identical processes. 2

Various Models Extended Automata = FSA + Guarded Commands • Timed automata - Hybrid automata • Petri Nets - Vector Addition Systems - Counter automata • Pushdown automata • FIFO Channel Systems Process Calculi - Rewrite Systems CCS, π -calculus, Process Rewrite Systems (BPA, BPP, PA, . . . ), etc. 3

Parametrized Networks S n = P 1 || P 2 || · · · || P n ∀ n. S n | = ϕ ( n ) 4

Parametrized Networks S n = P 1 || P 2 || · · · || P n ∀ n. S n | = ϕ ( n ) Dimensions of Infinity P i : finite-state / infinite-state Network Topology • Unstructured networks • Linear / Ring topology • Tree-like topology • Grids, Hypercubes, etc. 5

Unstructured Parametrized Networks Identities of processes are not relevant 6

Unstructured Parametrized Networks Identities of processes are not relevant Counter Abstraction • Associate with each control location q a counter c q • Associate with a transition q → r : c q > 0 / { c q := c q − 1; c r := c r + 1 } 7

Unstructured Parametrized Networks Identities of processes are not relevant Counter Abstraction • Associate with each control location q a counter c q • Associate with a transition q → r : c q > 0 / { c q := c q − 1; c r := c r + 1 } Exact Abstraction for Unstructured Networks • Broadcast protocols [Emerson et al.], [Esparza, Finkel, Mayr], [Delzanno] • Cache coherence protocols [Lesens, Saidi, 97], [Delzanno, 00], • Multithreaded programs [Delzanno, Raskin, et al., 02], [Ball, Rajamani, 02], • Group membership algorithms [B., Merceron, 02] 8

Word Rewriting Systems Let Σ be a finite alphabet. Rewrite systems → β , where α, β ∈ Σ ∗ . Set of rewrite rules : α ֒ 9

Word Rewriting Systems Let Σ be a finite alphabet. Rewrite systems → β , where α, β ∈ Σ ∗ . Set of rewrite rules : α ֒ Rewrite policy • Prefix rewriting: u = ⇒ v iff u = αw and v = βw • Cyclic rewriting: u = ⇒ v iff u = αw and v = wβ • Factor rewriting: ⇒ v iff u = w 1 αw 2 and v = w 1 βw 2 u = 10

Sequential Programs with Recursive Procedures • Finite (abstract) data domain • Program − → − → Control Flow Graph Prefix Rewriting System a Internal Action : ℓ 1 − → ℓ 2 L 1 ֒ → L 2 call ( X ) Procedure Call : ℓ 1 − → ℓ 2 L 1 ֒ → X init · L 2 Termination : ℓ : END L ֒ → ǫ 11

Parametrized Networks with a Linear/Ring Topology Let P be a finite-state process. Let Q be the set of control states of P . Consider n copies of P : P 1 P 2 . . . P n 12

Parametrized Networks with a Linear/Ring Topology Let P be a finite-state process. Let Q be the set of control states of P . Consider n copies of P : P 1 P 2 . . . P n Uniform reasoning for an arbitrary n • A configuration = word over the alphabet Q , • An operation = word rewrite rule. 13

Parametrized Networks with a Linear/Ring Topology Let P be a finite-state process. Let Q be the set of control states of P . Consider n copies of P : P 1 P 2 . . . P n Uniform reasoning for an arbitrary n • A configuration = word over the alphabet Q , • An operation = word rewrite rule. Example : Token passing • P has two states 0 and 1 • A configuration : a word over { 0 , 1 } ∗ • Left to right token passing action : → 01 10 ֒ 14

Term Rewriting Systems Let Σ = Σ 0 ∪ Σ 1 ∪ Σ 2 ∪ . . . be a ranked alphabet. Let X be a set of variables. Σ -terms The set of Σ -terms T (Σ) is the smallest set such that: • X ⊆ T (Σ) , • ∀ a ∈ Σ k . ∀ t 1 , . . . , t k ∈ T (Σ) . a ( t 1 , . . . , t k ) ∈ T (Σ) 15

Term Rewriting Systems Let Σ = Σ 0 ∪ Σ 1 ∪ Σ 2 ∪ . . . be a ranked alphabet. Let X be a set of variables. Σ -terms The set of Σ -terms T (Σ) is the smallest set such that: • X ⊆ T (Σ) , • ∀ a ∈ Σ k . ∀ t 1 , . . . , t k ∈ T (Σ) . a ( t 1 , . . . , t k ) ∈ T (Σ) Term Rewrite Systems → t 2 , where t 1 , t 2 ∈ T (Σ) Set of rewrite rules : t 1 ֒ 16

Term Rewriting Systems Let Σ = Σ 0 ∪ Σ 1 ∪ Σ 2 ∪ . . . be a ranked alphabet. Let X be a set of variables. Σ -terms The set of Σ -terms T (Σ) is the smallest set such that: • X ⊆ T (Σ) , • ∀ a ∈ Σ k . ∀ t 1 , . . . , t k ∈ T (Σ) . a ( t 1 , . . . , t k ) ∈ T (Σ) Term Rewrite Systems → t 2 , where t 1 , t 2 ∈ T (Σ) Set of rewrite rules : t 1 ֒ Rewrite policy Constaints on the context of rewriting, Closure under equivalences (e.g. associativity-commutativity of some symbols). 17

Parallel Programs with Recursive Procedures Program − → Control Flow Graph − → PA rewrite system a − → ℓ 2 → L 2 Internal Action : ℓ 1 L 1 ֒ call ( X ) − → → X init · L 2 Procedure Call : ℓ 1 ℓ 2 L 1 ֒ pcall ( X ) − → → X init || L 2 Parallel Call : ℓ 1 ℓ 2 L 1 ֒ → 0 Termination : ℓ : END L ֒ 18

⊥ ⊥ ⊥ ⊥ ⊥ ⊥ ⊥ 0 1 0 0 1 1 1 0 ⊥ (1( x, y ) , z ) ֒ → 1(1( x, y ) , z ) ⊥ ( z, 1( x, y )) ֒ → 1( z, 1( x, y )) ⊥ (0( x, y ) , 0( z, t )) ֒ → 0(0( x, y ) , 0( z, t )) Figure 1: Parametrized Networks with a Tree-like Topology 19

⊥ ⊥ ⊥ 1 0 1 1 0 1 0 0 1 1 1 0 ⊥ (1( x, y ) , z ) ֒ → 1(1( x, y ) , z ) ⊥ ( z, 1( x, y )) ֒ → 1( z, 1( x, y )) ⊥ (0( x, y ) , 0( z, t )) ֒ → 0(0( x, y ) , 0( z, t )) Figure 2: Parametrized Networks with a Tree-like Topology 20

⊥ 1 1 1 0 1 1 0 1 0 0 1 1 1 0 ⊥ (1( x, y ) , z ) ֒ → 1(1( x, y ) , z ) ⊥ ( z, 1( x, y )) ֒ → 1( z, 1( x, y )) ⊥ (0( x, y ) , 0( z, t )) ֒ → 0(0( x, y ) , 0( z, t )) Figure 3: Parametrized Networks with a Tree-like Topology 21

1 1 1 1 0 1 1 0 1 0 0 1 1 1 0 ⊥ (1( x, y ) , z ) ֒ → 1(1( x, y ) , z ) ⊥ ( z, 1( x, y )) ֒ → 1( z, 1( x, y )) ⊥ (0( x, y ) , 0( z, t )) ֒ → 0(0( x, y ) , 0( z, t )) Figure 4: Parametrized Networks with a Tree-like Topology 22

Reachability Analysis Let C be the set of all configurations, and let ρ ⊆ C × C be a transition relation. Given a set of configuration C ⊆ C , Compute ρ ∗ ( C ) = C ∪ ρ ( C ) ∪ ρ 2 ( C ) ∪ · · · Forward reachability analysis: ρ = post Backward reachability analysis: ρ = pre 23

Verification of (Safety) Properties Example : Invariance properties Init ⇒ ✷ Good Forward analysis post ∗ ( Init ) ∩ Good = ∅ Backward analysis Init ∩ pre ∗ ( Good ) = ∅ 24

Generation of Finite Abstractions Let G = ( C , Init, ⇒ ) be the infinite transition graph of a system. Given a finite partition ∼ of post ∗ ( Init ) , let G ∼ be the finite quotient graph ( post ∗ ( Init ) , Init, ⇒ ) / ∼ . • G ∼ simulates G (i.e., G ⊑ G ∼ ), • G ∼ | = ϕ ⇒ G | = ϕ , for ϕ in some universal fragment of a temporal logic (e.g. ∀ CTL ∗ ). 25

Computing Transitive Closures Find • Classes of Relations R , and • Classes of Sets of Configurations C , such that – ∀ ρ ∈ R . ∀ C ∈ C . ρ ∗ ( C ) ∈ C and is effectively constructible, 26

Computing Transitive Closures Find • Classes of Relations R , and • Classes of Sets of Configurations C , such that – ∀ ρ ∈ R . ∀ C ∈ C . ρ ∗ ( C ) ∈ C and is effectively constructible, – The class C is effectively closed under boolean operation ( ∪ and ∩ ), and the emptyness (and inclusion) problem(s) is (are) decidable. 27

Computing Transitive Closures Find • Classes of Relations R , and • Classes of Sets of Configurations C , such that – ∀ ρ ∈ R . ∀ C ∈ C . ρ ∗ ( C ) ∈ C and is effectively constructible, – The class C is effectively closed under boolean operation ( ∪ and ∩ ), and the emptyness (and inclusion) problem(s) is (are) decidable. Usual Restrictions • Operations (tests, updates, etc) • Control Structure the Models (control loops, sets of self-loops, etc) • Network topology (unstructured, rings, sequences, etc) 28

When it works Pushdown Systems Configuration = � q, w � where q is a control state, and w is a word. q { q } × L q where L q is a word language. Set of configurations = � 29

When it works Pushdown Systems Configuration = � q, w � where q is a control state, and w is a word. q { q } × L q where L q is a word language. Set of configurations = � Thm [B., Esparza, Maler, 97]: For every regular set of configurations C , the sets post ∗ ( C ) and pre ∗ ( C ) are regular and effectively constructible. [B¨ uchi 60’s], [Caucal 92], [Finkel, Wolper, Willems, 97], ... 30

When it works Pushdown Systems Configuration = � q, w � where q is a control state, and w is a word. q { q } × L q where L q is a word language. Set of configurations = � Thm [B., Esparza, Maler, 97]: For every regular set of configurations C , the sets post ∗ ( C ) and pre ∗ ( C ) are regular and effectively constructible. [B¨ uchi 60’s], [Caucal 92], [Finkel, Wolper, Willems, 97], ... Application to Interprocedural Program Analysis [Esparza, Knoop, 99], [Esparza, Schwoon, 01], [Ball, Rajamani, et al.] 31