Model Checking Infinite State Spaces · Model Checking An approach to the verification problem...
Transcript of Model Checking Infinite State Spaces · Model Checking An approach to the verification problem...
![Page 1: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/1.jpg)
Model Checking Infinite State Spaces
Javier Esparza
Laboratory for Foundations of Computer ScienceSchool of Informatics
University of Edinburgh
![Page 2: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/2.jpg)
Model Checking
An approach to the verification problem which formalises
system satisfies property
as
Kripke structure is model of temporal formula
Other possibilities are
characteristic temporal formula implies temporal formula
Kripke structure is simulated by most general Kripke structure
2
![Page 3: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/3.jpg)
Nothing in the essence of the approach requires the Kripke structure to be finite
Actually, Kripke structures for real systems are very often infinite
The finiteness constraint is due to our currenttechnology, not to the approach itself
3
![Page 4: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/4.jpg)
Sources of infinity
Data manipulation: unbounded counters, integer variables, lists . . .
Control structures: procedures , process creation . . .
Asynchronous communication: unbounded FIFO queues
Parameters: number of processes, of principals, of input gates, delays, . . .
Real-time: discrete or dense domains
4
![Page 5: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/5.jpg)
A bit of history
• Late 80s, early 90s: First theoretical papers
Decidability/Undecidability results for Place/Transition Petri nets
Efficient model-checking algorithms for context-free processes
Region construction for timed automata
• 90s: Research program
1. Decidability analysis
2. Design of algorithms or semi-algorithms
3. Design of implementations
4. Tools
5. Applications
• Late 90s, 00s: General techniques emerge
Automata-theoretic approach to model-checking
Symbolic reachability
Accelerations
5
![Page 6: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/6.jpg)
Programme
The automata-theoretic approach
Symbolic search: forward and backward
Case study: broadcast protocols
Accelerations
Case study: pushdown systems
Widenings
6
![Page 7: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/7.jpg)
The automata-theoretic approach
Safety property φ =⇒ Automaton A¬φ =⇒ L(¬φ)
Liveness property φ =⇒ Buchi automaton B¬φ =⇒ Lω(¬φ)
System S =⇒ Kripke structure KS =⇒ L(S), Lω(S)
Safety: S |= φ iff L(KS ×A¬φ) = ∅Liveness: S |= φ iff Lω(KS × B¬φ) = ∅
Closure under product with automata:for every S and A there is a system S ⊗A such that L(S ⊗A) = L(KS ×A)
Closure under product with Buchi automata:for every S and B there is a system S ⊗ B such that Lω(S ⊗ B) = Lω(KS × B)
7
![Page 8: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/8.jpg)
For system classes closed under product, model checking reducible to
– Reachability
Given: system S, sets I and F of initial and final configurations of KTo decide: if F can be reached from I,i.e., if there exist i ∈ I and f ∈ F such that i →∗ f
– Repeated reachability
Given: System S, sets I and F of initial and final configurations of STo decide: if F can be repeatedly reached from I,i.e. if there exist i ∈ I and f1, f2, . . . ∈ F such that i →∗ f1 →∗ f2 · · ·
I and F are usually infinite
8
![Page 9: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/9.jpg)
Symbolic search
A general framework for the reachability problem
Let C denote a (possibly infinite) set of configurations
Forward search
post(C) = immediate successors of C
Initialize C := I
Iterate C := C ∪ post(C) until
C ∩ F 6= ∅; return “reachable”, or
a fixpoint is reached; return “non-reachable”
Backward search
pre(C) = immediate predecessors of C
Initialize C := F
Iterate C := C ∪ pre(C) until
C ∩ I 6= ∅; return “reachable”, or
a fixpoint is reached; return “non-reachable”
Problem: when are the procedures effective?
9
![Page 10: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/10.jpg)
Backward search effective if . . .
1. each C ∈ C has a symbolic finite representation
2. F ∈ C
3. if C ∈ C, then C ∪ pre(C) ∈ C (and effectively computable)
4. emptyness of C ∩ I is decidable
5. C1 = C2 is decidable (to check if fixpoint has been reached)
6. any chain C1 ⊆ C2 ⊆ C3 . . . reaches a fixpoint after finitely many steps
(1) - (5) guarantee partial correctness, (6) guarantees termination
For forward search replace pre(C) by post(C) and exchange I and F
Shape of I determined by system, shape of F by specification
10
![Page 11: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/11.jpg)
Parametrized protocols
Defined for n processes.
Correctness: the desired properties hold for every n
Processes modelled as communicating finite automata
For each value of n the system has a finite state space (only one source ofinfinity)
Turing powerful, and so further restrictions sensible:
Broadcast Protocols
11
![Page 12: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/12.jpg)
Broadcast protocols
Introduced by Emerson and Namjoshi in LICS ’98
All processes execute the same algorithm, i.e., all finite automata are identical
Processes are undistinguishable (no IDs)
Communication mechanisms:
Rendezvous: two processes exchange a message and move to new states
Broadcasts: a process sends a message to all others
all processes move to new states
12
![Page 13: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/13.jpg)
Syntax
q3 q2
q1
a!!
a??
a??
a??
b!
b?
c
a!! : broadcast a message along (channel) aa??: receive a broadcasted message along ab! : send a message to one process along bb? : receive a message from one process along bc : change state without communicating with anybody
13
![Page 14: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/14.jpg)
Semantics
The global state of a broadcast protocol is completelydetermined by the number of processes in each state.
Configuration: mapping c : Q → IN
represented by the vector (c(q1), . . . , c(qn))
Semantics for an initial configuration: finite transition system with
configurations as nodes
14
![Page 15: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/15.jpg)
q3 q2
q1
a!!
a??
a??
a??
b!
b?
c
(3,1,2) −→ (4,0,2) (silent move c)
(3,1,2) −→ (3,2,1) (rendezvous b)
(3,1,2) −→ (2,1,3) (broadcast a)
(185,3425,17) −→ (17,1,3609) (broadcast a)
15
![Page 16: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/16.jpg)
Parametrized configuration: partial mapping p : Q → IN
– Intuition: “configuration with holes”
– Formally: set of configurations (total mappings matching p)
Infinite transition system (Kripke structure) of the broadcast protocol:
– Fix an initial parametrized configuration p0.
– Take the union of all finite transition systems Kc for each configuration c ∈ p0.
16
![Page 17: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/17.jpg)
A MESI-protocol
read!!
write-inv!!
local-read
local-read
read??
read??
write
write
local-read
write-inv??
write-inv??
read??
write-inv??
write-inv??
read??
M E
SI
17
![Page 18: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/18.jpg)
Reachability in broadcast protocols
Typical I: parametric configuration
Typical F : upward-closed sets
U is an upward-closed set of configurations if
c ∈ U and c′ ≥ c implies c′ ∈ U
where ≥ is the pointwise order on INn.
Sets D of “dangerous” configurations are typically upward-closed
Example: states M and S of MESI protocol should be mutually exclusive
D = {(m, e, s, i) | m ≥ 1 ∧ s ≥ 1}
Is reachability decidable if I is a parametric configurationand F is an upward-closed set?
18
![Page 19: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/19.jpg)
First try: Forward search
Since I ∈ C required by (2), the family C must contain all parametrizedconfigurations.
Satisfies (1) - (5) but not (6). Termination fails in very simple cases.
q1 q2
a?? a??
a!!
(t,0)a−→ (t,1)
a−→ (t,2)a−→ . . .
19
![Page 20: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/20.jpg)
Second try: Backward search
Since F ∈ C required by (2), the family C must contain all upward-closed sets.
[Abdulla et al I&C 160, 2000], [E. et al, LICS’99] :
Backward search satisfies (1) - (6)
20
![Page 21: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/21.jpg)
1. An upward-closed set can be finitely represented by
its set of minimal elements w.r.t. the pointwise order ≤
√
- An upward-closed set is determined by its minimal elements
- Any subset of Nk has finitely many minimal elements
Every infinite sequence c1, c2, c3, . . . of vectors of Nk contains anon-decreasing infinite subsequence ci1 ≤ ci2 ≤ ci3 . . . (Dickson’s lemma)
Assume some X ⊆ Nk has infinitely many minimal elementsEnumerate them in a sequence m1,m2 . . .
By Dicksons lemma, mi ≤ mj for some i < j
But then mj is not minimal
Contradiction
21
![Page 22: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/22.jpg)
1. An upward-closed set can be finitely represented by
its set of minimal elements w.r.t. the pointwise order ≤
√
- An upward-closed set is determined by its minimal elements
- Any subset of Nk has finitely many minimal elements
Every infinite sequence c1, c2, c3, . . . of vectors of Nk contains anon-decreasing infinite subsequence ci1 ≤ ci2 ≤ ci3 . . . (Dickson’s lemma)
Assume some X ⊆ Nk has infinitely many minimal elementsEnumerate them in a sequence m1,m2 . . .
By Dicksons lemma, mi ≤ mj for some i < j
But then mj is not minimal
Contradiction
22
![Page 23: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/23.jpg)
1. An upward-closed set can be finitely represented by
its set of minimal elements w.r.t. the pointwise order ≤
√
- An upward-closed set is determined by its minimal elements
- Any subset of Nk has finitely many minimal elements
Every infinite sequence c1, c2, c3, . . . of vectors of Nk contains anon-decreasing infinite subsequence ci1 ≤ ci2 ≤ ci3 . . . (Dickson’s lemma)
Assume some X ⊆ Nk has infinitely many minimal elementsEnumerate them in a sequence m1,m2 . . .
By Dicksons lemma, mi ≤ mj for some i < j
But then mj is not minimal
Contradiction
23
![Page 24: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/24.jpg)
1. An upward-closed set can be finitely represented by
its set of minimal elements w.r.t. the pointwise order ≤
√
- An upward-closed set is determined by its minimal elements
- Any subset of Nk has finitely many minimal elements
Every infinite sequence c1, c2, c3, . . . of vectors of Nk contains anon-decreasing infinite subsequence ci1 ≤ ci2 ≤ ci3 . . . (Dickson’s lemma)
Assume some X ⊆ Nk has infinitely many minimal elementsEnumerate them in a sequence m1,m2 . . .
By Dicksons lemma, mi ≤ mj for some i < j
But then mj is not minimal
Contradiction
24
![Page 25: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/25.jpg)
1. An upward-closed set can be finitely represented by
its set of minimal elements w.r.t. the pointwise order ≤
√
- An upward-closed set is determined by its minimal elements
- Any subset of Nk has finitely many minimal elements
Every infinite sequence c1, c2, c3, . . . of vectors of Nk contains anon-decreasing infinite subsequence ci1 ≤ ci2 ≤ ci3 . . . (Dickson’s lemma)
Assume some X ⊆ Nk has infinitely many minimal elementsEnumerate them in a sequence m1,m2 . . .
By Dicksons lemma, mi ≤ mj for some i < j
But then mj is not minimal
Contradiction
25
![Page 26: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/26.jpg)
1. An upward-closed set can be finitely represented by
its set of minimal elements w.r.t. the pointwise order ≤
√
- An upward-closed set is determined by its minimal elements
- Any subset of Nk has finitely many minimal elements
Every infinite sequence c1, c2, c3, . . . of vectors of Nk contains anon-decreasing infinite subsequence ci1 ≤ ci2 ≤ ci3 . . . (Dickson’s lemma)
Assume some X ⊆ Nk has infinitely many minimal elementsEnumerate them in a sequence m1,m2 . . .
By Dicksons lemma, mi ≤ mj for some i < j
But then mj is not minimal
Contradiction
26
![Page 27: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/27.jpg)
1. An upward-closed set can be finitely represented by
its set of minimal elements w.r.t. the pointwise order ≤
√
- An upward-closed set is determined by its minimal elements
- Any subset of Nk has finitely many minimal elements
Every infinite sequence c1, c2, c3, . . . of vectors of Nk contains anon-decreasing infinite subsequence ci1 ≤ ci2 ≤ ci3 . . . (Dickson’s lemma)
Assume some X ⊆ Nk has infinitely many minimal elementsEnumerate them in a sequence m1,m2 . . .
By Dicksons lemma, mi ≤ mj for some i < j
But then mj is not minimal
Contradiction
27
![Page 28: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/28.jpg)
2. F is upward-closed√
3. If U is upward-closed then so is U ∪ pre(U)√
Since union of upward-closed sets is upward-closed, it suffices to prove thatpre(U) is upward-closed
Take c ∈ pre(U) and c′ ≥ c. We show c′ ∈ pre(U)
c a−→ u ∈ U
≤ ≤c′ a−→ u′∈ U
28
![Page 29: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/29.jpg)
2. F is upward-closed√
3. If U is upward-closed then so is U ∪ pre(U)√
Since union of upward-closed sets is upward-closed, it suffices to prove thatpre(U) is upward-closed
Take c ∈ pre(U) and c′ ≥ c. We show c′ ∈ pre(U)
c a−→ u ∈ U
≤ ≤c′ a−→ u′∈ U
29
![Page 30: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/30.jpg)
2. F is upward-closed√
3. If U is upward-closed then so is U ∪ pre(U)√
Since union of upward-closed sets is upward-closed, it suffices to prove thatpre(U) is upward-closed
Take c ∈ pre(U) and c′ ≥ c. We show c′ ∈ pre(U)
c a−→ u ∈ U
≤ ≤c′ a−→ u′∈ U
30
![Page 31: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/31.jpg)
2. F is upward-closed√
3. If U is upward-closed then so is U ∪ pre(U)√
Since union of upward-closed sets is upward-closed, it suffices to prove thatpre(U) is upward-closed
Take c ∈ pre(U) and c′ ≥ c. We show c′ ∈ pre(U)
c a−→ u ∈ U
≤ ≤c′ a−→ u′∈ U
31
![Page 32: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/32.jpg)
2. F is upward-closed√
3. If U is upward-closed then so is U ∪ pre(U)√
Since union of upward-closed sets is upward-closed, it suffices to prove thatpre(U) is upward-closed
Take c ∈ pre(U) and c′ ≥ c. We show c′ ∈ pre(U)
c a−→ u ∈ U
≤ ≤c′ a−→ u′∈ U
32
![Page 33: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/33.jpg)
2. F is upward-closed√
3. If U is upward-closed then so is U ∪ pre(U)√
Since union of upward-closed sets is upward-closed, it suffices to prove thatpre(U) is upward-closed
Take c ∈ pre(U) and c′ ≥ c. We show c′ ∈ pre(U)
c a−→ u ∈ U
≤ ≤c′ a−→ u′∈ U
33
![Page 34: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/34.jpg)
2. F is upward-closed√
3. If U is upward-closed then so is U ∪ pre(U)√
Since union of upward-closed sets is upward-closed, it suffices to prove thatpre(U) is upward-closed
Take c ∈ pre(U) and c′ ≥ c. We show c′ ∈ pre(U)
c a−→ u ∈ U
≤ ≤c′ a−→ u′∈ U
34
![Page 35: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/35.jpg)
2. F is upward-closed√
3. If U is upward-closed then so is U ∪ pre(U)√
Since union of upward-closed sets is upward-closed, it suffices to prove thatpre(U) is upward-closed
Take c ∈ pre(U) and c′ ≥ c. We show c′ ∈ pre(U)
c a−→ u ∈ U
≤ ≤c′ a−→ u′∈ U
35
![Page 36: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/36.jpg)
4. C ∩ I is decidable√
5. C1 = C2 is decidable√
6. Any chain U1 ⊆ U2 ⊆ U3 . . . of upward-closed sets
reaches a fixpoint after finitely many steps
√
Assume this is not the case: U1 ⊂ U2 ⊂ U3 . . .
Pick some minimal element m1 ∈ U1
Pick for every i > 1 some minimal element mi /∈ U1 ∪ . . . ∪ Ui−1
Consider the sequence m1,m2,m3, . . .
Let i < j ; since mj /∈ Ui , we have mi 6≤ mj (upward-closedness)
So infinitely many elements of m1,m2,m3 . . . are incomparable
Contradiction to Dickson’s lemma
36
![Page 37: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/37.jpg)
4. C ∩ I is decidable√
5. C1 = C2 is decidable√
6. Any chain U1 ⊆ U2 ⊆ U3 . . . of upward-closed sets
reaches a fixpoint after finitely many steps
√
Assume this is not the case: U1 ⊂ U2 ⊂ U3 . . .
Pick some minimal element m1 ∈ U1
Pick for every i > 1 some minimal element mi /∈ U1 ∪ . . . ∪ Ui−1
Consider the sequence m1,m2,m3, . . .
Let i < j ; since mj /∈ Ui , we have mi 6≤ mj (upward-closedness)
So infinitely many elements of m1,m2,m3 . . . are incomparable
Contradiction to Dickson’s lemma
37
![Page 38: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/38.jpg)
4. C ∩ I is decidable√
5. C1 = C2 is decidable√
6. Any chain U1 ⊆ U2 ⊆ U3 . . . of upward-closed sets
reaches a fixpoint after finitely many steps
√
Assume this is not the case: U1 ⊂ U2 ⊂ U3 . . .
Pick some minimal element m1 ∈ U1
Pick for every i > 1 some minimal element mi /∈ U1 ∪ . . . ∪ Ui−1
Consider the sequence m1,m2,m3, . . .
Let i < j ; since mj /∈ Ui , we have mi 6≤ mj (upward-closedness)
So infinitely many elements of m1,m2,m3 . . . are incomparable
Contradiction to Dickson’s lemma
38
![Page 39: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/39.jpg)
4. C ∩ I is decidable√
5. C1 = C2 is decidable√
6. Any chain U1 ⊆ U2 ⊆ U3 . . . of upward-closed sets
reaches a fixpoint after finitely many steps
√
Assume this is not the case: U1 ⊂ U2 ⊂ U3 . . .
Pick some minimal element m1 ∈ U1
Pick for every i > 1 some minimal element mi /∈ U1 ∪ . . . ∪ Ui−1
Consider the sequence m1,m2,m3, . . .
Let i < j ; since mj /∈ Ui , we have mi 6≤ mj (upward-closedness)
So infinitely many elements of m1,m2,m3 . . . are incomparable
Contradiction to Dickson’s lemma
39
![Page 40: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/40.jpg)
4. C ∩ I is decidable√
5. C1 = C2 is decidable√
6. Any chain U1 ⊆ U2 ⊆ U3 . . . of upward-closed sets
reaches a fixpoint after finitely many steps
√
Assume this is not the case: U1 ⊂ U2 ⊂ U3 . . .
Pick some minimal element m1 ∈ U1
Pick for every i > 1 some minimal element mi /∈ U1 ∪ . . . ∪ Ui−1
Consider the sequence m1,m2,m3, . . .
Let i < j ; since mj /∈ Ui , we have mi 6≤ mj (upward-closedness)
So infinitely many elements of m1,m2,m3 . . . are incomparable
Contradiction to Dickson’s lemma
40
![Page 41: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/41.jpg)
4. C ∩ I is decidable√
5. C1 = C2 is decidable√
6. Any chain U1 ⊆ U2 ⊆ U3 . . . of upward-closed sets
reaches a fixpoint after finitely many steps
√
Assume this is not the case: U1 ⊂ U2 ⊂ U3 . . .
Pick some minimal element m1 ∈ U1
Pick for every i > 1 some minimal element mi /∈ U1 ∪ . . . ∪ Ui−1
Consider the sequence m1,m2,m3, . . .
Let i < j ; since mj /∈ Ui , we have mi 6≤ mj (upward-closedness)
So infinitely many elements of m1,m2,m3 . . . are incomparable
Contradiction to Dickson’s lemma
41
![Page 42: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/42.jpg)
4. C ∩ I is decidable√
5. C1 = C2 is decidable√
6. Any chain U1 ⊆ U2 ⊆ U3 . . . of upward-closed sets
reaches a fixpoint after finitely many steps
√
Assume this is not the case: U1 ⊂ U2 ⊂ U3 . . .
Pick some minimal element m1 ∈ U1
Pick for every i > 1 some minimal element mi /∈ U1 ∪ . . . ∪ Ui−1
Consider the sequence m1,m2,m3, . . .
Let i < j ; since mj /∈ Ui , we have mi 6≤ mj (upward-closedness)
So infinitely many elements of m1,m2,m3 . . . are incomparable
Contradiction to Dickson’s lemma
42
![Page 43: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/43.jpg)
4. C ∩ I is decidable√
5. C1 = C2 is decidable√
6. Any chain U1 ⊆ U2 ⊆ U3 . . . of upward-closed sets
reaches a fixpoint after finitely many steps
√
Assume this is not the case: U1 ⊂ U2 ⊂ U3 . . .
Pick some minimal element m1 ∈ U1
Pick for every i > 1 some minimal element mi /∈ U1 ∪ . . . ∪ Ui−1
Consider the sequence m1,m2,m3, . . .
Let i < j ; since uj /∈ Ui , we have mi 6≤ mj (upward-closedness)
So infinitely many elements of m1,m2,m3 . . . are incomparable
Contradiction to Dickson’s lemma
43
![Page 44: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/44.jpg)
Repeated reachability in broadcast protocols
The following problem is undecidable:
Given: a broadcast protocol,
an initial parametric configuration p = (t,0, . . . ,0)
To decide: is there an integer n such that the transition system
with (n,0, . . . ,0) as initial configuration
has an infinite computation ?
Can be reformulated as a repeated reachability problem whereI = (t,0, . . . ,0) and F = set of all configurations
44
![Page 45: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/45.jpg)
Application to the MESI-protocol
Are the states M and S mutually exclusive?
Check if the upward-closed set with minimal element
m = 1, e = 0, s = 1, i = 0
can be reached from the initial p-configuration
m = 0, e = 0, s = 0, i = t
Proceed as follows:
D: m ≥ 1 ∧ s ≥ 1
D ∪ pre(D): (m ≥ 1 ∧ s ≥ 1) ∨(m = 0 ∧ e = 1 ∧ s ≥ 1)
D ∪ pre(D) ∪ pre2(D): D ∪ pre(D)
45
![Page 46: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/46.jpg)
Application to the MESI-protocol
Are the states M and S mutually exclusive?
Check if the upward-closed set with minimal element
m = 1, e = 0, s = 1, i = 0
can be reached from the initial p-configuration
m = 0, e = 0, s = 0, i = t
Proceed as follows:
D: m ≥ 1 ∧ s ≥ 1
D ∪ pre(D): (m ≥ 1 ∧ s ≥ 1) ∨(m = 0 ∧ e = 1 ∧ s ≥ 1)
D ∪ pre(D) ∪ pre2(D): D ∪ pre(D)
46
![Page 47: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/47.jpg)
Application to the MESI-protocol
Are the states M and S mutually exclusive?
Check if the upward-closed set with minimal element
m = 1, e = 0, s = 1, i = 0
can be reached from the initial p-configuration
m = 0, e = 0, s = 0, i = t
Proceed as follows:
D: m ≥ 1 ∧ s ≥ 1
D ∪ pre(D): (m ≥ 1 ∧ s ≥ 1) ∨(m = 0 ∧ e = 1 ∧ s ≥ 1)
D ∪ pre(D) ∪ pre2(D): D ∪ pre(D)
47
![Page 48: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/48.jpg)
Application to the MESI-protocol
Are the states M and S mutually exclusive?
Check if the upward-closed set with minimal element
m = 1, e = 0, s = 1, i = 0
can be reached from the initial p-configuration
m = 0, e = 0, s = 0, i = t
Proceed as follows:
D: m ≥ 1 ∧ s ≥ 1
D ∪ pre(D): (m ≥ 1 ∧ s ≥ 1) ∨(m = 0 ∧ e = 1 ∧ s ≥ 1)
D ∪ pre(D) ∪ pre2(D): D ∪ pre(D)
48
![Page 49: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/49.jpg)
Case studies (by Delzanno)
Broadcast protocols must be extended with more complicated guards.
Termination guarantee gets lost, but can be recovered
Upward-closed sets represented by linear constraints
Backward-search algorithm must be refinedPossibly more iterations, but each iteration has lower complexity
Berkeley RISC, Illinois, Xerox PARC Dragon, DEC FireflyAt most 7 iterations and below 100 seconds (SPARC5, Pentium 133)
Futurebus +8 steps and 200 seconds (Pentium 133)
49
![Page 50: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/50.jpg)
Symbolic search for other models
FIFO-automata with lossy channels
[Abdulla and Jonsson, I&C 127, 1993], [Abdulla et al, CAV’98, LNCS 1427]
Configuration: pair (q,w), where q state and w = (w1, . . . ,wn) vector of words
representing the queue contents
Family C: upward-closed sets with respect to the subsequence order
abba ≤ bbaabaaabbabb
Dickson’s lemma→ Higman’s lemma
Backward search satisfies (1) - (6)
Timed automata
[Alur and Dill, TCS 126, 1994]
Configuration: pair (q,x), where q state and x vector of real numbers
Family C: regions or zones
Forward and backward search satisfy (1) - (6)
50
![Page 51: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/51.jpg)
Pushdown systems
A pushdown system (PDS) is a triple (P,Γ,∆), where
– P is a finite set of control locations
– Γ is a finite stack alphabet
– ∆ ⊆ (P × Γ)× (P × Γ∗) is a finite set of rules.
A configuration is a pair 〈p, v〉, where p ∈ P, v ∈ Γ∗
If 〈p, γ〉 ↪→ 〈p′, v〉 ∈∆ then 〈p, γw〉 −→ 〈p′, vw〉 for every w ∈ Γ∗
Normalisation: |v | ≤ 2
51
![Page 52: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/52.jpg)
PDSs as models of sequential programs
Programs determined by
control flow of procedures
– assignments, conditionals, loops
– procedure calls with parameter passing / return values
local variables of each procedure
global variables
State space determined by
program pointer
values of global variables
values of local variables (of current procedure)
activation records (return addresses, copies of locals)
52
![Page 53: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/53.jpg)
Interpretation of 〈p, γv〉
p holds values of global variables
γ holds (program pointer, values of local variables)
v holds stack of (return address, saved locals)
Restriction: finite datatypes
Correspondence between statements and rules
〈p, γ〉 ↪→ 〈p′, γ′〉 simple statement
〈p, γ〉 ↪→ 〈p′, γ′γ′′〉 procedure call
〈p, γ〉 ↪→ 〈p′, ε〉 return statement
53
![Page 54: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/54.jpg)
Reachability in pushdown systems
A set of configurations C is regular if for every control point p, the set{w ∈ Γ∗ | 〈p,w〉 ∈ C} is regular
Typically, I and F are regular sets of configurations(even very simple ones, like 〈p,Γ∗〉)
Family C: regular sets
54
![Page 55: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/55.jpg)
Backward search: Do conditions (2) - (6) hold ?
1. Each regular set can be finitely represented by a multi-automaton√
Multi-automata for a pushdown system:
P as set of initial states and Γ as alphabet
〈p, v〉 recognized if p v−−−→ q for some final state q
Example: P = {p0, p1} and Γ = {γ0, γ1}Automaton coding the set 〈p0, γ0γ
∗1γ0〉 ∪ 〈p1, γ1〉 :
p0
p1
γ0
γ0
γ1
γ1
55
![Page 56: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/56.jpg)
2. F ∈ C√
3. If C ∈ C, then C ∪ pre(C) ∈ C√
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0〉 }
56
![Page 57: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/57.jpg)
2. F ∈ C√
3. If C ∈ C, then C ∪ pre(C) ∈ C√
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0〉 }
57
![Page 58: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/58.jpg)
2. F ∈ C√
3. If C ∈ C, then C ∪ pre(C) ∈ C√
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
γ0
γ0
γ1
γ1
58
![Page 59: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/59.jpg)
2. F ∈ C√
3. If C ∈ C, then C ∪ pre(C) ∈ C√
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′0
p′1
γ0
γ0
γ1
γ1
59
![Page 60: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/60.jpg)
2. F ∈ C√
3. If C ∈ C, then C ∪ pre(C) ∈ C√
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′0
p′1
γ0
γ0
γ1
γ1
γ0
60
![Page 61: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/61.jpg)
2. F ∈ C√
3. If C ∈ C, then C ∪ pre(C) ∈ C√
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′0
p′1
γ0
γ0
γ1
γ1
γ0
γ1
61
![Page 62: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/62.jpg)
2. F ∈ C√
3. If C ∈ C, then C ∪ pre(C) ∈ C√
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′0
p′1
γ0
γ0
γ1
γ1
γ0
γ1
62
![Page 63: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/63.jpg)
2. F ∈ C√
3. If C ∈ C, then C ∪ pre(C) ∈ C√
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′0
p′1
γ0
γ0
γ1
γ1
γ0
γ1
γ0
γ1
63
![Page 64: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/64.jpg)
2. F ∈ C√
3. If C ∈ C, then C ∪ pre(C) ∈ C√
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′0γ0
γ0
γ1
γ0
γ1
γ0
γ1
64
![Page 65: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/65.jpg)
2. F ∈ C√
3. If C ∈ C, then C ∪ pre(C) ∈ C√
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′′0
p′′1
p′0γ0
γ0
γ1
γ0
γ1
γ0
γ1
65
![Page 66: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/66.jpg)
2. F ∈ C√
3. If C ∈ C, then C ∪ pre(C) ∈ C√
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′′0
p′′1
p′0γ0
γ0
γ1
γ0
γ1
γ0
γ1
γ0
66
![Page 67: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/67.jpg)
2. F ∈ C√
3. If C ∈ C, then C ∪ pre(C) ∈ C√
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′′0
p′′1
p′0γ0
γ0
γ1
γ0
γ1
γ0
γ1
γ0
γ1
67
![Page 68: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/68.jpg)
2. F ∈ C√
3. If C ∈ C, then C ∪ pre(C) ∈ C√
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′′0
p′′1
p′0γ0
γ0
γ1
γ0
γ1
γ0
γ1
γ0
γ1 γ1
68
![Page 69: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/69.jpg)
2. F ∈ C√
3. If C ∈ C, then C ∪ pre(C) ∈ C√
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
γ0
γ0
γ1
γ0
γ0γ0
γ0
γ0
γ1
γ1
γ1
γ1
69
![Page 70: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/70.jpg)
2. F ∈ C√
3. If C ∈ C, then C ∪ pre(C) ∈ C√
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
γ0
γ0
γ1
γ0
γ0γ0
γ0
γ0
γ1
γ1
γ1
γ1
70
![Page 71: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/71.jpg)
4. Emptyness of C ∩ I is decidable√
5. C1 = C2 is decidable√
71
![Page 72: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/72.jpg)
4. Emptyness of C ∩ I is decidable√
5. C1 = C2 is decidable√
72
![Page 73: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/73.jpg)
6. Any chain C1 ⊆ C2 ⊆ C3 . . . eventually reaches a fixpoint NO!
P = {p0, p1}, Γ = {γ0, γ1}
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
C0 = F = 〈p0, γ0γ∗1γ0〉 ∪ 〈p1, γ1〉
C1 = C0 ∪ pre(C0) = 〈p0, (γ0 + γ20)γ∗1γ0〉 ∪
〈p1, γ1(ε+ γ0)γ∗1(ε+ γ0)〉· · ·
Ci = Ci−1 ∪ pre(Ci−1) = 〈p0, (γ0 + . . .+ γ i+10 )γ∗1γ0〉 ∪
〈p1, γ1(ε+ γ0 + . . .+ γ i0)γ∗1(ε+ γ0)〉
· · ·
73
![Page 74: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/74.jpg)
6. Any chain C1 ⊆ C2 ⊆ C3 . . . eventually reaches a fixpoint NO!
P = {p0, p1}, Γ = {γ0, γ1}
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
C0 = F = 〈p0, γ0γ∗1γ0〉 ∪ 〈p1, γ1〉
C1 = C0 ∪ pre(C0) = 〈p0, (γ0 + γ20)γ∗1γ0〉 ∪
〈p1, γ1(ε+ γ0)γ∗1(ε+ γ0)〉· · ·
Ci = Ci−1 ∪ pre(Ci−1) = 〈p0, (γ0 + . . .+ γ i+10 )γ∗1γ0〉 ∪
〈p1, γ1(ε+ γ0 + . . .+ γ i0)γ∗1(ε+ γ0)〉
· · ·
74
![Page 75: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/75.jpg)
6. Any chain C1 ⊆ C2 ⊆ C3 . . . eventually reaches a fixpoint NO!
P = {p0, p1}, Γ = {γ0, γ1}
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
C0 = F = 〈p0, γ0γ∗1γ0〉 ∪ 〈p1, γ1〉
C1 = C0 ∪ pre(C0) = 〈p0, (γ0 + γ20)γ∗1γ0〉 ∪
〈p1, γ1(ε+ γ0)γ∗1(ε+ γ0)〉· · ·
Ci = Ci−1 ∪ pre(Ci−1) = 〈p0, (γ0 + . . .+ γ i+10 )γ∗1γ0〉 ∪
〈p1, γ1(ε+ γ0 + . . .+ γ i0)γ∗1(ε+ γ0)〉
· · ·
75
![Page 76: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/76.jpg)
6. Any chain C1 ⊆ C2 ⊆ C3 . . . eventually reaches a fixpoint NO!
P = {p0, p1}, Γ = {γ0, γ1}
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
C0 = F = 〈p0, γ0γ∗1γ0〉 ∪ 〈p1, γ1〉
C1 = C0 ∪ pre(C0) = 〈p0, (γ0 + γ20)γ∗1γ0〉 ∪
〈p1, γ1(ε+ γ0)γ∗1(ε+ γ0)〉· · ·
Ci = Ci−1 ∪ pre(Ci−1) = 〈p0, (γ0 + . . .+ γ i+10 )γ∗1γ0〉 ∪
〈p1, γ1(ε+ γ0 + . . .+ γ i0)γ∗1(ε+ γ0)〉
· · ·
76
![Page 77: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/77.jpg)
6. Any chain C1 ⊆ C2 ⊆ C3 . . . eventually reaches a fixpoint NO!
P = {p0, p1}, Γ = {γ0, γ1}
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
C0 = F = 〈p0, γ0γ∗1γ0〉 ∪ 〈p1, γ1〉
C1 = C0 ∪ pre(C0) = 〈p0, (γ0 + γ20)γ∗1γ0〉 ∪
〈p1, γ1(ε+ γ0)γ∗1(ε+ γ0)〉· · ·
Ci = Ci−1 ∪ pre(Ci−1) = 〈p0, (γ0 + . . .+ γ i+10 )γ∗1γ0〉 ∪
〈p1, γ1(ε+ γ0 + . . .+ γ i0)γ∗1(ε+ γ0)〉
· · ·
77
![Page 78: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/78.jpg)
6. Any chain C1 ⊆ C2 ⊆ C3 . . . eventually reaches a fixpoint NO!
P = {p0, p1}, Γ = {γ0, γ1}
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
C0 = F = 〈p0, γ0γ∗1γ0〉 ∪ 〈p1, γ1〉
C1 = C0 ∪ pre(C0) = 〈p0, (γ0 + γ20)γ∗1γ0〉 ∪
〈p1, γ1(ε+ γ0)γ∗1(ε+ γ0)〉· · ·
Ci = Ci−1 ∪ pre(Ci−1) = 〈p0, (γ0 + . . .+ γ i+10 )γ∗1γ0〉 ∪
〈p1, γ1(ε+ γ0 + . . .+ γ i0)γ∗1(ε+ γ0)〉
· · ·
78
![Page 79: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/79.jpg)
However, the fixpoint
pre∗(F) = 〈p0, γ+0 γ∗1γ0〉 ∪
〈p1, γ1γ∗0γ∗1(ε+ γ0)〉
is regular
How can we compute it?
79
![Page 80: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/80.jpg)
Accelerations
By definition, pre(F) =⋃
i≥0 Ciwhere C0 = F and Ci+1 = Ci ∪ pre(Ci) for every i ≥ 0
If convergence fails, try to compute an acceleration :a sequence D0 ⊆ D1 ⊆ D2 . . . such that
(a) ∀i ≥ 0: Ci ⊆ Di
(b) ∀i ≥ 0: Di ⊆⋃
j≥0 Cj = pre(F)
Property (a) ensures capture of (at least) the whole set pre(F)
Property (b) ensures that only elements of pre(F) are captured
The acceleration guarantees termination if
(c) ∃i ≥ 0: Di+1 = Di
80
![Page 81: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/81.jpg)
An acceleration for pushdown systems
Idea: reuse the same states
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
γ0
γ0
γ1
γ1
p0
p1
γ0
γ0
γ1
γ1
81
![Page 82: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/82.jpg)
An acceleration for pushdown systems
Idea: try to reuse the same states
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′0
p′1
γ0
γ0
γ1
γ1
p0
p1
γ0
γ0
γ1
γ1
82
![Page 83: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/83.jpg)
An acceleration for pushdown systems
Idea: try to reuse the same states
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′0
p′1
γ0
γ0
γ1
γ1
γ0 p0
p1
γ0
γ0
γ1
γ1
83
![Page 84: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/84.jpg)
An acceleration for pushdown systems
Idea: try to reuse the same states
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′0
p′1
γ0
γ0
γ1
γ1
γ0 p0
p1
γ0
γ0
γ1
γ1γ0
84
![Page 85: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/85.jpg)
An acceleration for pushdown systems
Idea: try to reuse the same states
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′0
p′1
γ0
γ0
γ1
γ1
γ0
γ1
p0
p1
γ0
γ0
γ1
γ1γ0
85
![Page 86: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/86.jpg)
An acceleration for pushdown systems
Idea: try to reuse the same states
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′0
p′1
γ0
γ0
γ1
γ1
γ0
γ1
p0
p1
γ0
γ0
γ1
γ1γ0
γ1
86
![Page 87: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/87.jpg)
An acceleration for pushdown systems
Idea: try to reuse the same states
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′0
p′1
γ0
γ0
γ1
γ1
γ0
γ1
p0
p1
γ0
γ0
γ1
γ1γ0
γ1
87
![Page 88: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/88.jpg)
An acceleration for pushdown systems
Idea: try to reuse the same states
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′0
p′1
γ0
γ0
γ1
γ1
γ0
γ1
γ0
γ1
p0
p1
γ0
γ0
γ1
γ1γ0
γ1
88
![Page 89: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/89.jpg)
An acceleration for pushdown systems
Idea: try to reuse the same states
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′′0
p′′1
p′0γ0
γ0
γ1
γ0
γ1
γ0
γ1
p0
p1
γ0
γ0
γ1
γ1γ0
γ1
89
![Page 90: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/90.jpg)
An acceleration for pushdown systems
Idea: try to reuse the same states
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′′0
p′′1
p′0γ0
γ0
γ1
γ0
γ1
γ0
γ1
γ0 p0
p1
γ0
γ0
γ1
γ1γ0
γ1
90
![Page 91: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/91.jpg)
An acceleration for pushdown systems
Idea: try to reuse the same states
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′′0
p′′1
p′0γ0
γ0
γ1
γ0
γ1
γ0
γ1
γ0
γ1
p0
p1
γ0
γ0
γ1
γ1γ0
γ1
91
![Page 92: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/92.jpg)
An acceleration for pushdown systems
Idea: try to reuse the same states
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′′0
p′′1
p′0γ0
γ0
γ1
γ0
γ1
γ0
γ1
γ0
γ1 γ1
p0
p1
γ0
γ0
γ1
γ1γ0
γ1
92
![Page 93: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/93.jpg)
An acceleration for pushdown systems
Idea: try to reuse the same states
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
p′′0
p′′1
p′0γ0
γ0
γ1
γ0
γ1
γ0
γ1
γ0
γ1 γ1
p0
p1
γ0
γ0
γ1
γ1γ0
γ1 γ1
93
![Page 94: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/94.jpg)
An acceleration for pushdown systems
Idea: try to reuse the same states
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
γ0
γ0
γ1
γ1γ0
γ1 γ1
94
![Page 95: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/95.jpg)
But does it work . . . ?
All predecessors are computed, and termination guaranteed
But: we might be adding non-predecessors
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
γ0
γ0
γ1
γ1
Fortunately: correct if initial states have no incoming arcs
95
![Page 96: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/96.jpg)
But does it work . . . ?
All predecessors are computed, and termination guaranteed
But: we might be adding non-predecessors
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
γ0
γ0
γ1
γ1γ0
Fortunately: correct if the initial states do not have any incoming arcs
96
![Page 97: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/97.jpg)
But does it work . . . ?
All predecessors are computed, and termination guaranteed
But: we might be adding non-predecessors
∆ = { 〈p0, γ0〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p0, ε〉 , 〈p1, γ1〉 ↪→ 〈p1, γ1γ0 〉}
p0
p1
γ0
γ0
γ1
γ1γ0
Fortunately: correct if initial states have no incoming arcs
97
![Page 98: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/98.jpg)
Repeated reachability for pushdown systems
Let I = 〈p0, γ0〉 and F = 〈p,Γ∗〉
F can be repeatedly reached from I iff
〈p0, γ0〉 −→∗ 〈p′, γw〉and
〈p′, γ〉 −→∗ 〈p, v〉 −→∗ 〈p′, γu〉
for some p′, γ,w , v , u
Repeated reachability can be reduced to computing several pre∗
98
![Page 99: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/99.jpg)
Applications
Algorithms for pre∗ and post∗ developed in [E. et al., CAV’00, CAV’01]BDD technology to deal with variables
Implemented in the Moped model-checker
Used as replacement of Bebop in the SLAM project
Experimental results (by Schwoon) on
Test suite of 64 C-programs
Four drivers with between 2200 and 7600 lines of code
A serial driver with 27000 lines of code
For the drivers: locking-unlocking properties checked or bugs found in between 1and 2 minutes
99
![Page 100: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/100.jpg)
A general acceleration framework
Compute a symbolic reachability graph with elements of C as nodes:
Add I as first node
For each node C and each transition t , add an edge C t−→ post[t](C)
Replace C σ−→ post[σ](C) by C σ−→ X , where X satisfies
(1) post[σ](C) ⊆ X , and
(2) X contains only reachable configurations
100
![Page 101: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/101.jpg)
Acceleration through loops
A loop is a sequence C σ−→ post[σ](C) such that
C σ−→ post[σ](C)σ−→ post[σ2](C)
σ−→ post[σ3](C) · · ·
Examples: c σ−→ c′ ≥ c in broadcast protocols
〈p, γ〉 σ−→ 〈p, γv〉 in pushdown systems
Acceleration: given a loop C σ−→ post[σ](C) , replace post[σ](C) by
X = post[σ∗](C) = C ∪ post[σ](C) ∪ post[σ2](C) ∪ . . .
Problem: find a suitable class of loops such that post[σ∗](C) belongs to C
101
![Page 102: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/102.jpg)
Other models
Counter machines [Boigelot and Wolper, CAV’94, LNCS 818]
Configuration: pair (q, n1, . . . , nk), where q state n1, . . . , nk integers
Family C: Presburger sets
Suitable loops: syntactically defined
FIFO-automata with lossy channels [Abdulla et al, CAV’98, LNCS 1427]
Configuration: pair (q,w), where s state and w vector of words representing the contents ofthe queues
Family C: regular sets represented by simple regular expressions
Suitable loops: any
FIFO-automata with perfect channels [Boigelot and Godefroid, CAV’96, LNCS1102], [Bouajjani and Habermehl, ICALP’97, LNCS 1256]
Arrays of parallel processes [Bouajjani et al, CAV’00, LNCS 1855]
102
![Page 103: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/103.jpg)
Widenings
Accurate widenings
Replace C σ−→ post[a](C) by C σ−→ X , where X satisfies
(1) post[a](C) ⊆ X , and
(2’) X contains only reachable final configurations
Notice that X may contain unreachable non-final configurations!
103
![Page 104: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/104.jpg)
Inaccurate widenings
Replace C σ−→ post[a](C) by C σ−→ X , where X satisfies
(1) post[a](C) ⊆ X
If no configuration of the graph belongs to F , then no reachable configurationbelongs to F
If some configuration of the graph belongs to F , no information is gained
104
![Page 105: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/105.jpg)
Accurate widenings in broadcast protocols
Fact: post[σ](p) = Tσ(p) for a linear transformation Tσ(p) = Mσ · x + bσ
It follows: post[σ∗](p) =⋃
n≥0 T nσ(p)
However, post[σ∗](p) may not be a parametric configuration
Accurate widening: widen post[σ∗](p) to lub{T nσ(p) | n ≥ 0}
Theorem: if the set F is upward-closed, this widening is accurate
105
![Page 106: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/106.jpg)
Does widening lead to termination?
For arbitrary broadcast protocols: NO! [E. et al, LICS’99]
Example in which the acceleration doesn’t have any effect:
q1 q2 q3
a!!
a??
c
a??
p0 = (t,0,0)
For rendezvous communication only: YES[Karp and Miller ’69], [German and Sistla, JACM 39(3), 1992]
106
![Page 107: Model Checking Infinite State Spaces · Model Checking An approach to the verification problem which formalises system satisfies property as Kripke structure is model of temporal](https://reader035.fdocuments.net/reader035/viewer/2022081613/5fb7f854e219c828c62f0280/html5/thumbnails/107.jpg)
Conclusions
Decidability analysis very advanced
Many algorithms useful in practice
Many prototype implementations, some tools
The ADVANCE project:Advanced Verification Techniques for Telecommunication Protocols
Challenges:
systems with several sources of infinity (automata-theoretic techniques)
connection to program analysis
107