1 / 34

Reachability Analysis for Some Models of Infinite-State Transition Systems

Reachability Analysis for Some Models of Infinite-State Transition Systems. Oscar H. Ibarra, Tevfik Bultan , and Jianwen Su Department of Computer Science University of California, Santa Barbara {ibarra,bultan,su}@cs.ucsb.edu. Problem.

taryn
Download Presentation

Reachability Analysis for Some Models of Infinite-State Transition Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Reachability Analysis for Some Models of Infinite-State Transition Systems Oscar H. Ibarra, Tevfik Bultan, and Jianwen Su Department of Computer Science University of California, Santa Barbara {ibarra,bultan,su}@cs.ucsb.edu

  2. Problem • Automated verification techniques have been successful for finite state systems • In general verification problems are undecidable for infinite state systems • What kind of restrictions can we place on infinite state systems to make verification problems decidable?

  3. Outline • Restricted computational models • Reversal-bounded, finite-crossing, phase-bounded machines • Language acceptors vs. behavior generators • Decidable properties as language acceptors • Decidable verification queries as behavior generators • Extensions to computational models • Applications • Conclusions and future work

  4. Shankar’s Example This Morning • P can be verified with a Presburger arithmetic model checker that uses standard backward fixpoint computations [Bultan et al. 99] • Fixpoint computation for AG(State1  x 6) does not converge, we can use widening • However, this system is a reversal bounded counter machine, hence we do not need approximations, we can verify its invariants exactly. x’=x+1 State1 State0 x’=x+1 Initial: x=0  State0 P: AG(State1  ( . x =2+1))

  5. Examples of Infinite State Systems • Timed-automata [Alur, Dill 90] • Finite state control + real valued clocks which increase uniformly or reset based on clock constraints • Clock constraints are restricted to x # c (# is one of , , , , ) • Verification results: Region reachability, TCTL model checking [Alur et al. 93], binary reachability [Comon, Jurski 99] • Pushdown automata • Finite state control plus an unrestricted stack • Verification results: -calculus model checking [Walukiewicz 96, Bouajjani et al. 97]

  6. Restricted Infinite-State Systems • Basic Model: Reversal-bounded counter machines (CM) • A nondeterministic finite automaton augmented with finite number of counters • Each counter can be incremented or decremented by 1 and tested for zero • The counters are reversal-bounded : The number of times a counter can change from non-decreasing to non-increasing and vice-versa is bounded by a constant

  7. Reversal-Bounded Computation Reversal Counter value Reversal Computation

  8. Reversal-Bounded Counters (CM) • Note that a counter can take any value in  • The number of states (i.e., configurations of the machine) is infinite • Without the reversal-boundedness restriction basic properties of counter machines (such as emptiness) are undecidable (two unrestricted counters  TM)

  9. Adding a Pushdown to CM • Reversal-bounded counter machine CM can be extended with additional data structures • A pushdown counter machine (PCM) is a reversal-bounded counter machine augmented with a singleunrestricted pushdown stack • PCMs are more powerful than CMs and pushdown automata • Emptiness is undecidable for two-way input or two pushdown

  10. Adding a Restricted Tape to CM • A tape counter machine (TCM) is a reversal-bounded counter machine augmented with a single restricted two-way read/write worktape • The tape is finite-crossing : The number of times the head crosses the boundary between any two adjacent cells of the worktape is bounded by a constant • TCMs and PCMs are incomparable

  11. Adding a Restricted Queue to CM • A queue counter machine (QCM) is a CM augmented with a single restricted queue • The queue is phase-bounded : The number of alternations between non-deletionphase and non-insertion phase is bounded by a constant • TCMs can effectively simulate QCMs • Unrestricted queue can simulate a TM

  12. An Simple Example • Producer has a produce state which has a write transition that increments the produced counter and writes a symbol to the queue from a finite alphabet {a, b} • Consumer has a consume state which has a read transition that increments the consumed counter and reads a symbol from the queue • We can check invariants such as: produced - consumed equals the number of items in the queue and the number of a’s in the queue is less than or equal to number of b’s PRODUCER CONSUMER finite state control finite state control counter counter produced consumed queue

  13. Language Acceptors vs. Behavior Generators • Computational models can be used as language recognizers when they are augmented with a one-way read-only input tape • We are interested in the behaviors they generate: Use computational models as system specifications rather than language recognizers • Machines with input tape can be used to analyze parametric systems where the parameters can be specified on the input tape

  14. Interesting Properties for Language Acceptors • Given arbitrary language acceptor machines M1, M2: • Emptiness: Is L(M1) (the language accepted by M1) empty ? • Containment: Is L(M1) L(M2) ? • Equivalence: Is L(M1) = L(M2) ? • Simplest acceptors: Finite automata (deterministic, nondeterministic, one-way input tape, two-way input tape). Above properties are decidable.

  15. Interesting Properties for Behavior Generators • Binary-Reachability: Given two configurations ,  of machine M, is there a behavior which starts atand reaches  ? • Forward-Reachability: Given a set of configurations S, what is the set of configurations that the machine M can reach starting from a configuration in S ? • Backward-Reachability: Given a set of configurations S, what is the set of configurations that the machine M can start from and reach a configuration in S ?

  16. Interesting Properties for Behavior Generators • Nonsafety: Given a machine M, an initial set I and a set P of configurations, is there a configuration in I which reaches a configuration in P ? • Invariance: Given a machine M, an initial set I and a set P of configurations, are all the configurations on all the behaviors which start from I in P ?

  17. Basic Approach • First show decidability of the emptiness problem for a class of language acceptors • Reduce verification problems to emptiness problem • Given an arbitrary machine M • Show that a verification property of M can be specified as a language • Show that a language-acceptor M’ can be effectively constructed which accepts this language • Show that the the verification query can be answered by checking language emptiness of the language-acceptor M’

  18. Theorem: Emptiness problem for PCM-acceptors is decidable [Ibarra 78] Proof Idea: Given an alphabet A with symbols a1, ..., ak for each word w in A* define f(w) = (i1, ..., ik) where ij is the number of occurances of aj in w (Parikh map) Given a PCM-acceptor M, f(L(M)) is an effectively computable Presburger formula (equivalently, it is a semilinear set) L(M) is empty iff f (L(M)) is empty (which is decidable since f (L(M)) is Presburger) Emptiness problem for PCM-acceptors

  19. Emptiness Problem for CM-acceptors Corollary: Emptiness problem for CM acceptors is decidable Emptiness problem for CM acceptors is decidable in nckr for some constant c, where n is the size of the finite state control, k is the number of counters, and r is the reversal-bound on each counter [Gurari and Ibarra 81]

  20. Theorem: The emptiness problem for TCM-acceptors is decidable Lemma 1 : Let M be a TCM-acceptor. We can effectively construct a TCM M’ such that L(M) = L(M’) and in any computation of M’ its read/write head moves left or right of a cell in every step Lemma 2 : Let M be a TCM-acceptor. We can effectively construct a TCM M’ such that L(M) is nonempty iff M’ when started with a blank worktape and zero counters has a halting sequence of moves Emptiness Problem for TCM-acceptors

  21. Given a machine M, define reachability set R(M) of M as the set of all pairs of configurations (, ) such that  can reach  in 0 or more transitions Theorem: Given a PCM M, we can effectively construct a PCM acceptor M’ accepting R(M) Proof Idea : First, M’ reads configuration  and records it. Then M’ simulates the computation of M. At some point it guesses that it reached  and verifies its guess by comparing it with the input Theorem: Given a TCM M, we can effectively construct a TCM acceptor M’ accepting R(M) Binary Reachability

  22. Safety Theorem: Given a PCM (TCM) M and two sets of configurations I and P accepted by CM acceptors, we can effectively construct a PCM (TCM) M’ that accepts a configuration  iff 1)  is in I, and 2) M when started in  can reach a configuration in P Proof Idea: Let MI and MP be CM acceptors accepting I and P, respectively. We construct a PCM acceptor M which first checks that its input is accepted by MI. Then it simulates M starting from this input configuration. Then it guesses that it reached a configuration in MP and verifies this guess by checking if the configuration is accepted by MP

  23. Corollary 2 : Given a PCM (TCM) M and two sets of configurations I and P accepted by a CM acceptor and a deterministic CM-acceptor, respectively, we can effectively construct a PCM (TCM) M’ that accepts a configuration  iff 1)  is in I, and 2) M when started in  can reach a configuration not in P Safety

  24. Forward and Backward Reachability Given a machine M and a set of configurations P, define set of configurations FM(P) (BM(P)) as the set of configurations that can be reached from (that can reach) configurations in P in 0 or more transitions Theorem: Given a PCM (TCM) M and a set of configurations P accepted by a CM-acceptor, we can effectively construct a PCM (TCM) acceptor accepting FM(P) Same result holds for BM(P)

  25. Theorem: Let Mbe a CM and P be a set of configurations. Then BM(P) (FM(P)) accepted by a CM acceptor iff P is accepted by a CM acceptor Corollary: Let Mbe a CM and P be a set of configurations. Then BM(P) (FM(P)) is Presburger iff P is Presburger Forward and Backward Reachability

  26. Extensions to Computational Models • Allowing counters to store negative integer values • Allowing counters to increment decrement by integer constant c • Allowing tests of the form x # c where x is a counter, c is an integer constant, and # is one of , , , ,  • One can show that for al the computational models we discussed a machine M using such extensions can be converted to a machine M’ which does not use these extensions and L(M) = L(M’)

  27. Extensions to Computational Models • Consider linear relation tests constructed using atomic linear relations in the form • x Caxx < b (where C is the set of counters) • and logical connectives ,  • The emptiness problem for deterministic CM-acceptors using linear relation tests is undecidable • If we restrict PCM (TCM) to be mode-bounded (i.e., the number of changes between the modes increasing, decreasing, and no-change is bounded by a constant) then emptiness problem is decidable even when linear tests are used [Ibarra et al. 00]

  28. Applications • One can show the decidability of verification problems for a system by reducing it to one of the systems we presented • Binary reachability of discrete timed-automata with pushdown is decidable [Dang et al. 00]

  29. Applications • By restricting the behaviors of a given infinite-state system one can obtain a conservative approximation of the given system • in the sense that when an error is found in the restricted system this implies that the error exists in the original system • Finding bugs is as important as verifying a system • Restrictions we discussed are not as severe as bounded model checking [Biere et al. 99] which limits the number of execution steps

  30. Conclusions and Future Work • We showed that there are various restrictions one can put on computational models which will ensure the decidability of reachability problems • We need to investigate the complexity of the verification problems for these restricted models • We need to investigate extending these results to liveness properties, temporal logics

More Related