1 / 58

Regular Model Checking

Regular Model Checking. Ahmed Bouajjani,Benget Jonsson , Marcus Nillson and Tayssir Touili. Moran Ben Tulila 8.5.12. Outline. Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques

taylor
Download Presentation

Regular Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Regular Model Checking Ahmed Bouajjani,BengetJonsson, Marcus Nillson and TayssirTouili Moran Ben Tulila 8.5.12

  2. Outline • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion

  3. About Regular Model Checking • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • A framework for algorithmic verification of infinite-state systems with e.g. queues,stacks,integers, or a parameterized linear (or ring-formed) topology • Considers systems whose states can be represented as finite strings of arbitrary length over a finite alphabet • We will focus on the problems of computing the set of states that are reachable from some set of initial states, and on computing the transitive closure of the transition relation

  4. VerificationProblems • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • Computing Reachability Sets- • Computing Transitive Closure-

  5. Motivation • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • The problem of verifying that a system satisfies a certain correctness property is usually reduced to checking some form of reachability problem on a transition system model of the system • Examples: mutual exclusion • Q: So, why not to use standard iteration-based methods? finding loops of parameterized systems

  6. The (Obvious) Answer: • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • Termination is not guaranteed for parameterized or infinite-state systems! -termination is guaranteed only if there is a bound on the distance (in number of transitions) from the initial configurations to any reachable configuration

  7. Definitions • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • Regular Set- • Cross Product-

  8. Definitions (Cont.) • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • Regular Relation - A regular relation can be conveniently recognized by a finite-state transducer

  9. Definitions (Cont.) • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • Transducer- Example: the token passing protocol 0 1 2 The transition relation can be represented by a finite set of actions, when each action is a regular relation between strings that can be represented by a finite-state transducer (as the one above)

  10. Program Model • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion Example: the token passing protocol

  11. Another Example of System Modeling • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • Systems communicating over unbounded FIFO channels … M1 M2 M3 FIFO channel Configurations are of the form:

  12. Another Example of System Modeling (Cont.) • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • The system is modeled by:

  13. Computing the Transitive Closure • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • We will present a technique for computing R+ by computing a minimal deterministic transducer that recognizes it • At this point – our construction is not guaranteed to terminate (in particular if R+ is not regular) • we’ll see how to deal with that problem in a few slides • From now on – assume R is a regular relation on

  14. Computing the Transitive Closure (Cont.) • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • R regular  R can be represented as a finite-state transducer:

  15. Computing the Transitive Closure (Cont.) • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion

  16. Computing the Transitive Closure (Cont.) • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • In matrix form:

  17. Computing the Transitive Closure (Cont.) • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • The first step in our construction will be to regard this matrix as a single run of another transducer • The new transducer’s states will be the columns of the matrix • The new transducer’s transitions will represent the relationship between adjacent columns in the matrix

  18. Computing the Transitive Closure (Cont.) • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • We define the Column Transducer for R+ as the tuple n when: - F+ is the set of non-empty sequences of accepting states of R The column transducer for R+ accepts exactly the relation R+

  19. Example • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • Recall our transducer for the transition relation of the token passing protocol : • Alphabet slightly changed

  20. Example • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • The matching column transducer looks as follows:

  21. But… • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • The calculated transducer has infinitely many states • So, we will try to determinize it using the standard subset-construction, in the hope of decreasing the number of states

  22. Reminder from Automata Course • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion Subset Construction – • standard method for converting a nondeterministic finite automaton (NFA) into a deterministic finite automaton (DFA) which recognizes the same formal language • applies most directly to an NFA that does not allow epsilon moves • For a NFA (Q, Σ, T, q0, F) in which Q is the set of states, Σ is the set of input symbols, T is the transition function ,q0 is the initial state, and F is the set of accepting states – the matching DFA has states corresponding to subsets of Q. its initial state is {q0}, the transition function of the DFA maps a state S (representing a subset of Q) and an input symbol x to the set T(S,x) = ∪{T(q,x) | q ∈ Q} and a state S of the DFA is an accepting state if and only if at least one member of S is an accepting state of the NFA

  23. Subset- Construction Example • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • For the NFA:

  24. Subset- Construction Example (Cont.) • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • We get the following DFA:

  25. Determinizing the Column Transducer • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • Let x,y range over columns and X,Y over sets of columns • The subset construction applied to the column transducer yields the automaton: when:

  26. Determinizing the Column Transducer (Cont.) • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • A few technical details: • The transducer is constructed on-the-fly, starting from the initial state and computing successors for each generated state X and pair of symbols (a,a’) • The construction terminates when no new states are generated • In most cases, the subset-construction does not yield a finite automaton

  27. Determinizing the Column Transducer - Example • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • Deterministic transducer built from the column transducer for the token passing protocol:

  28. Transducer’s Minimization • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • As shown, the subset construction doesn’t necessarily yield a finite automata • Therefore, we try to make it smaller by identifying equivalent sets of columns during the construction (and merging them) • We’ll define equivalent sets as the following: • Two sets X,Y of columns are equivalent if suff(X)=suff(Y)

  29. Transducer’s Minimization (Cont.) • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • Detection of equivalent sets is based on saturation • The basic idea- • Extend (saturate) each set X of columns by additional columns x such that • Hopefully, two equivalent sets of columns will become identical after saturation

  30. Transducer’s Minimization (Cont.) • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • Dedinition: • A state q in the original transducer R is a copying state if Saturation Rule:

  31. Transducer’s Minimization (Cont.) • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion If the set of reachable states in the automaton is finite, then R+ is regular and then, using standard techniques we can obtain a minimal deterministic finite-state transducer which recognizes R+

  32. Transducer’s Minimization - Example • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • The minimal deterministic transducer accepting R+ for the token passing protocol is:

  33. Termination • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • It can be shown that R+ is regular under some sufficient conditions on a regular relation R (so in that case our construction of R+ yields a finite-state transducer) • In order to characterize the class of regular relations R for which our transitive-closure works, we define a notion of local depth:

  34. Termination (Cont.) • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion Intuitively, a relation with local depth k never needs to rewrite any element of a word more than k times to relate two words

  35. Termination (Cont.) • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • For example: • The transition relation in a parameterized system in which a process passes a token to its right neighbor (token passing protocol) has local depth 2, since in an arbitrary execution sequence, each process is affected at most twice: • When receiving the token • When sending the token

  36. Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion ComputingReachable Configurations • With some modifications, this method enable us to compute as well

  37. Widening • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • Used to speed up the calculation of a regular fixpoint • Applied during the iterative construction of the set of reachable configurations in order to help termination • Our technique consists in: • guessing automatically the image of iterating a relation starting from some given regular set • deciding whether this guess is correct

  38. Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion Computing Set of Reachable Configurations A widening step consists in: • guessing the result of iterating R starting from by comparing to In general, this guess can be made by considering the sets up to some finite bound k • Adding the obtained set (the guess) to the computed set of configurations • Continuing exploration of the configuration space

  39. Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion Computing Set of Reachable Configurations (Cont.) Intuitively: C1  applying R to is to like “adding” between and C2 ( is a fixpoint of and is the least fixpoint of F)

  40. Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion Computing Set of Reachable Configurations (Cont.) • Our work process: • Given two regular sets and we need to find regular sets • such that C1 holds and check that condition C2 also holds for these sets Notice that by adding to the computed set of configurations we capture at least all the reachable configurations from by iterating R. Nevertheless, the inclusion isn’t guaranteed by C2 (for any kind of regular relation R)

  41. Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion Computing Set of Reachable Configurations - Example • Computing reachability set from initial configurations for the token passing protocol: C1 holds since: C2 holds since: in this example, we apply an exact widening step by adding to the set of reachable configurations. By doing this, our procedure terminates and we get the result:

  42. Exact Widening • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • As stated before – our method doesn’t guarantee us finding the set of reachable configurations exactly • We will introduce a class of relations for which it can be shown that our widening technique is exact

  43. Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion Exact Widening (Cont.) A few definitions-

  44. Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion Exact Widening (Cont.) A few definitions (cont.) -

  45. Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion Exact Widening (Cont.) • To prove this theorem we define: • Nathreian relations- a length preserving relation R is natherianiff

  46. Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion Exact Widening (Cont.) • Then we can prove:

  47. Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion Constructing Transitive Closures • Widening technique can also be used to compute the transitive closure of a length preserving relation R

  48. Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion Constructing Transitive Closures • Widening technique can also be used to compute the transitive closure of a length preserving relation R

  49. Verifying Properties • Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion • We will show how to reduce the problem of verifying a property specified by a Buchi automaton to the problem of computing the transitive closure • Based on the fact that detecting infinite sequences reduces to detecting loops We can use this idea to verify that a program satisfies an ω-regular property under a set of fairness requirements

  50. Introduction • Program Model Definition • Automata Theoretic Construction of the Transitive Closure • Widening Based Techniques • Model Checking of -Regular Properties • Conclusion Verifying Properties (Cont.) • An ω-language consists of infinite words (ω-words), when each word can be viewed as function from N  to Σ, with the value at i giving the symbol at position I • The set of all infinite words over Σ is denoted Σω • Thus, an ω-language L over Σ is a subset of Σω, • An ω-language L is ω-regular if it has the form: • Aω where A is a nonempty regular language not containing the empty string • AB, the concatenation of a regular language A and an ω-regular language B (Note that BA is not well-defined) • A∪B where A and B are ω-regular languages (this rule can only be applied finitely many times)

More Related