1 / 40

Model Checking Lecture 5

Model Checking Lecture 5. Outline. 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking Symbolic algorithms for model checking Pushdown systems. From Finite to Inifinite-State Systems.

ann
Download Presentation

Model Checking Lecture 5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Model Checking Lecture 5

  2. Outline • 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness • 2 Graph algorithms for model checking • Symbolic algorithms for model checking • Pushdown systems

  3. From Finite to Inifinite-State Systems • So far, algorithms for systems with finite state spaces • Sources of infinite-state • Control: recursion • Data: unbounded numeric variables, lists • Time: Systems with real-time clocks • Parameters: arbitrary number of participating processes

  4. From Finite to Infinite-State Systems • So far, algorithms for systems with finite state spaces • Sources of infinite-state • Control: recursion • Data: unbounded numeric variables, lists • Time: Systems with real-time clocks • Parameters: arbitrary number of participating processes

  5. Decidability vs. Expressiveness • Unbounded state  Undecidable • Is the unbounded system able to encode a Turing machine? • Single-counter machines? NO • Two-counter machines? YES • Single-stack machines? NO • Two-stack machines? YES

  6. From Finite to Infinite-State Systems • So far, algorithms for systems with finite state spaces • Sources of infinite-state • Control: recursion • Data: unbounded numeric variables, lists • Time: Systems with real-time clocks • Parameters: arbitrary number of participating processes

  7. State representation • Explicit representation infeasible • Symbolic representation is the key • For the transition system • For the reachable states

  8. Pushdown systems (G, L, g0, l0, ) g, h  G : finite set of control states l, m  L : finite set of stack symbols g0 : initial control state l0 : initial stack symbol  : set of transitions

  9. Remarks The classical definition of a pushdown system has, in addition, an alphabet I of input symbols. Each transition depends on the control state, the top of the stack, and the input symbol. The language L  I* of a classical pushdown system contains those input sequences for which there is an execution leading to the empty stack. We are only concerned with reachability analysis and will therefore ignore I.

  10. g, Three kinds of transitions: (g, l)  (h, m) (step) (g, l)  (h, m n) (call) (g, l)  (h, ) (return) Configuration: l h, m n g, l m g, h, l   g, h, l 

  11. Modeling sequential programs • An element in G is a valuation to global variables • An element in L is a valuation to local variables and • current instruction address for the frame at the top of the stack • return instruction address for the other frames

  12. Example bool a = F; void main( ) { L1: a = T; L2: flip(a); L3: } void flip(bool x) { L4: a = !x; L5: } (a, x, pc) (F, _, L1) (T, _, L2) (T, _, L3 T, L4) (F, _, L3 T, L5) (F, _, L3) (F, )

  13. Reachability problem Given pushdown system (G, L, g0, l0, ) and control state g, does there exist a stack ls  L* such that (g0, l0) * (g, ls)?

  14. Naïve algorithm Add (g0, l0) to R (g, ls)  R (g, ls)  (g’, ls’) Add (g’, ls’) to R

  15. Problem with the naïve algorithm • R is unbounded so algorithm won’t terminate • Two solutions: • Summary-based (a.k.a. interprocedural dataflow analysis) • Automata-based

  16. Algorithm I E(g, l, h, m) (step edges) E+(g, l, h, nm) (call edges) E-(g, l, h) (pop edges) Initially: E(g0, l0, g0, l0) E+ is empty E- is empty

  17. Step rule E(g, l, h, m) (h, m) (h’, m’) E(g, l, h’, m’)

  18. Call rule E(g, l, h, m) (h, m)  (h’, n’m’) E+(g, l, h’, n’m’) E(h’, n’, h’, n’)

  19. Return rule E(g, l, h, m) (h, m)  (h’, ) E-(g, l, h’)

  20. Summary rule E+(g, l, h, nm) E-(h, n, h’) E(g, l, h’, m)

  21. E+(0, L0, 0, L4·L1) E(0, L4, 0, L4) E(0, L4, 1, L5) E-(0, L4, 1) E(0, L0, 1, L1) E(0, L0, 0, L2) E+(0, L0, 0, L4·L3) E(0, L0, 1, L3) E-(0, L0, 1) E(0, L0, 0, L0) int g = 0 main() { L0: incr() L1: g = 0 L2: incr() L3: } incr() { L4: g = g+1 L5: }

  22. E(0, L0, 0, L1) E(0, L5,0, 0, L5,0) E+(0, L0, 0, L5,0·L3) E(0, L5,0, 0, L6,0) E+(0, L5,0, 0, L5,0·L8,0) E(0, L0, 0, L2) E(0, L5,1, 0, L5,1) E+(0, L0, 0, L5,1·L3) E(0, L5,1, 0, L7,1) E(0, L5,1, 1, L8,1) E-(0, L5,1, 1) E(0, L0, 1, L3) E(0, L0, 1, L4) E-(0, L0, 1) E(0, L0, 0, L0) int g = 0 main() { L0: if (*) L1: foo(0) else L2: foo(1) L3: assert(g > 0) L4: } foo(r) { L5: if (r = 0) L6: foo(r) else L7: g = g + 1 L8: }

  23. Termination • Maximum number of step edges = |G|2|L|2 • Maximum number of call edges = |G|2|L|3 • Maximum number of return edges = |G|2|L|

  24. Reachability problem Given pushdown system (G, L, g0, l0, ) and control state g, does there exist a stack ls such that (g0, l0) * (g, ls)? Algorithm I: Summary-based Yes, if E(g’, l’, g, l) for some g’, l’, and l. No, otherwise.

  25. Algorithm II Add (g0, l0) to R (g, ls)  R (g, ls)  (g’, ls’) Add (g’, ls’) to R Key idea: Use a finite automaton to symbolically represent R

  26. Symbolic representation • Pushdown system (G, L, g0, l0, ) • Representation automaton (Q, L, T, G, F) • Q ( G) is the set of states • L is the alphabet • T is the transition relation • G is the set of initial states • F is the set of final states

  27. m l l s2 g s1 m h Represents the set of configurations: { (h, m), (g, l m* l) } A set C of configurations is regular if it is representable by an automaton Theorem (Buchi) : The set of configurations reachable from a regular set is also regular.

  28. Remark The classical definition of a pushdown system has, in addition, an alphabet I of input symbols. Buchi’s theorem does not contradict the fact that pushdown systems can accept non-regular languages over the input alphabet I. The language of reachable stack configurations is a language over the alphabet L. The accepted language is a language over the alphabet I.

  29. Pushdown system: (G, L, g0, l0, ) - G = {g0,g1,g2} - L = {l0,l1,l2} - (g0, l0)  (g1, l1l0) (g1, l1)  (g2, l2l0) (g2, l2)  (g0, l1) (g0, l1)  (g0, ) l0 g0 s0

  30. Pushdown system: (G, L, g0, l0, ) - G = {g0,g1,g2} - L = {l0,l1,l2} - (g0, l0)  (g1, l1l0) (g1, l1)  (g2, l2l0) (g2, l2)  (g0, l1) (g0, l1)  (g0, ) l0 g0 s0 g1 g2

  31. Pushdown system: (G, L, g0, l0, ) - G = {g0,g1,g2} - L = {l0,l1,l2} - (g0, l0)  (g1, l1l0) (g1, l1)  (g2, l2l0) (g2, l2)  (g0, l1) (g0, l1)  (g0, ) l0 g0 s0 l1 g1 s1,1 l2 g2 s2,2

  32. Pushdown system: (G, L, g0, l0, ) - G = {g0,g1,g2} - L = {l0,l1,l2} - (g0, l0)  (g1, l1l0) (g1, l1)  (g2, l2l0) (g2, l2)  (g0, l1) (g0, l1)  (g0, ) l0 g0 s0 l0 l1 g1 s1,1 l2 g2 s2,2

  33. Pushdown system: (G, L, g0, l0, ) - G = {g0,g1,g2} - L = {l0,l1,l2} - (g0, l0)  (g1, l1l0) (g1, l1)  (g2, l2l0) (g2, l2)  (g0, l1) (g0, l1)  (g0, ) l0 g0 s0 l0 l1 g1 s1,1 l0 l2 g2 s2,2

  34. Pushdown system: (G, L, g0, l0, ) - G = {g0,g1,g2} - L = {l0,l1,l2} - (g0, l0)  (g1, l1l0) (g1, l1)  (g2, l2l0) (g2, l2)  (g0, l1) (g0, l1)  (g0, ) l0 g0 s0 l0 l1 l1 g1 s1,1 l0 l2 g2 s2,2

  35. Pushdown system: (G, L, g0, l0, ) - G = {g0,g1,g2} - L = {l0,l1,l2} - (g0, l0)  (g1, l1l0) (g1, l1)  (g2, l2l0) (g2, l2)  (g0, l1) (g0, l1)  (g0, ) l0 g0 s0 l0 l1 l1 g1 s1,1 l0  l2 g2 s2,2

  36. Pushdown system: (G, L, g0, l0, ) - G = {g0,g1,g2} - L = {l0,l1,l2} - (g0, l0)  (g1, l1l0) (g1, l1)  (g2, l2l0) (g2, l2)  (g0, l1) (g0, l1)  (g0, ) l0 g0 s0 l0 l1 l1 g1 s1,1 l0 l0  l2 g2 s2,2

  37. Pushdown system: (G, L, g0, l0, ) - G = {g0,g1,g2} - L = {l0,l1,l2} - (g0, l0)  (g1, l1l0) (g1, l1)  (g2, l2l0) (g2, l2)  (g0, l1) (g0, l1)  (g0, ) l0 g0 s0 l0 l1 l1 g1 s1,1 l0 l0  l2 g2 s2,2 { (g0, l0  l0l0+ l1l0l0+), (g1,l1l0+), (g2,l2l0l0+) }

  38. Let Begin be the initial configuration automaton Let End be the final configuration automaton Lemma 1: If (g,ls)  Begin and (g,ls) * (g’,ls’), then g’ can reach a final state q of End along a path labeled ls’. Proof: Simple induction on the number of steps in *.

  39. Lemma 2: Suppose g goes to state q in End via a path • labeled ls. • If q is a state of Begin, then (g’,ls’) * (g,ls) and • g’ goes to state q via a path labeled ls’ in Begin • (2) If q = sg’,l’ is a new state in End, then (g’,l’) * (g,ls)

  40. Begin = A0, A1, …, An = End For each i  [0,n-1]: Ai+1 is obtained from Ai by adding a single edge • Restatement of Lemma 2: Suppose g goes to state q in • Ai via a path of length j labeled ls. • If q is a state of Begin, then (g’,ls’) * (g,ls) and • g’ goes to state q via a path labeled ls’ in Begin • (2) If q = sg’,l’ is a new state in End, then (g’,l’) * (g,ls)

More Related