# Regular Model Checking Parosh Aziz Abdulla Uppsala University Cooperation with B. Jonsson, M. Nilsson, J. d’Orso.

## Presentation on theme: "Regular Model Checking Parosh Aziz Abdulla Uppsala University Cooperation with B. Jonsson, M. Nilsson, J. d’Orso."— Presentation transcript:

Regular Model Checking Parosh Aziz Abdulla Uppsala University Cooperation with B. Jonsson, M. Nilsson, J. d’Orso

Outline  Model Checking  Infinite-State Systems  Parameterized Systems  Regular Model Checking  Column Transducer Construction  Sufficient Conditions for Exactness  Future Work

Model Checking S sat  ? system specification

Infinite State Systems 1. Unbounded Data Structures Timed Automata Push-Down Automata Communicating Finite State Automata Counter Automata 2. Unbounded Control Structures Parameterized Systems Dynamic Systems

Parameterized Systems Mutual exclusion protocols Cache coherence protocols Broadcast protocols Dynamic Systems Security protocols Multi-threaded programs

Model Checking S sat  ? Parameterized systemspecification Classification S :  Topology  Components  Communication mechanisms  Safety properties  Liveness properties 

Topology set array

Tree

Matrix

Components Simple: finite state process Extended: clocks, counters, buffers, etc. Communication Mechanism binary (rendez-vous) broadcast Neighbour global

Simplest Case: Set + Finite-state + Rendez-vous W C W C W C Example: Parameterized mutual exclusion R=0? R:=1 R:=0R=0? R:=1 R:=0 R=0? R:=1 R:=0 Counter abstraction = Petri net

Petri Net Model W C R=0? R:=1 R:=0 W C R=0 Initial marking No token in C, 1 token in (R=0) Bad markings At least 2 tokens in C

Parameterized System of Finite-Sate Processes (Geman & Sistla)   Finite-state process Synchronize:  Parameterized System Petri Net Representation

Parameterized System of Timed Processes – (Timed Networks)   timed process Synchronize:  Parameterized System Timed Petri Net Representation x:=0 x<5 [0:0] [0:5]

Array of Finite-State Processes  in general: undecidable  use Regular Model Checking [Kesten et al 97]

Example: Szymanski’s Algorithm Pseudocode for process i 1: await  j : j  i ::  s j 2: w i, s i := true,true 3: if  j : j  i :: (pc j  1 /\  w j ) then s i := false; goto 4 else w i := false; goto 5 4: await  j : j  i :: (s j /\  w j ) then w i, s i := false,true 5: await  j : j  i ::  w j 6: await  j : j  i ::  s j 7: s i := false; goto 1

Linear Process Networks: Token Passing T NNNN 

N TNNN 

N NTNN 

 Alphabet : S = {N, T }  Configurations : words over S  Initial Configurations : T N* (regular lang.)  Transition Relation : transducer : N/N T/NN/T N/N Token Passing: Model

N/N T/NN/T N/N T N N NInitial configuration (T N*) A Run of the Transducer : R

N/N T/NN/T N/N T N N N N T N N Initial configuration (T N*) A Run of the Transducer : R R

N/N T/NN/T N/N T N N N N T N N N N T N Initial configuration (T N*) A Run of the Transducer : R R R

N/N T/NN/T N/N T N N N N T N N N N T N N N N T Initial configuration (T N*) A Run of the Transducer : R R R R

N/N T/NN/T N/N T N* Initial configurations Symbolic Run of the Transducer : R

N/N T/NN/T N/N T N* N T N* Initial configurations Symbolic Run of the Transducer : R R

N/N T/NN/T N/N T N* N T N* N N T N* Initial configurations Symbolic Run of the Transducer : R R R

N/N T/NN/T N/N T N* N T N* N N T N* N N N T N* Initial configurations Symbolic Run of the Transducer : R R R R  Termination ?  Ideally: compute: R* (T N*) = N* T N*

N/N T/NN/T N/N T N N N N Column Transducer R q 0 q 1 q 2

N/N T/NN/T N/N T N N N N Column Transducer R q 0 q 1 q 2 q 2 q 0 q 1 q 2 q 2 q 2 N T N N N

N/N T/NN/T N/N T N N N N Column Transducer R q 0 q 1 q 2 q 2 q 0 q 1 q 2 q 2 q 2 N T N N N q 1 q 0 q 0 q 2 q 2 q 2 N N T N N

N/N T/NN/T N/N T N N N N Column Transducer R q 0 q 1 q 2 q 2 q 0 q 1 q 2 q 2 q 2 N T N N N q 1 q 0 q 0 q 2 q 2 q 2 N N T N N q 0 q 0 q 0 q 1 q 2 q 2 N N N T N

N/N T/NN/T N/N T N N N N Column Transducer R q 0 q 1 q 2 q 2 q 0 q 1 q 2 q 2 q 2 N T N N N q 1 q 0 q 0 q 2 q 2 q 2 N N T N N q 0 q 0 q 0 q 1 q 2 q 2 N N N T N q 0 q 0 q 0 q 0 q 1 q 2 N N N N T

N/N T/NN/T N/N T N N N N Column Transducer R q 0 q 1 q 2 q 2 q 0 q 1 q 2 q 2 q 2 N T N N N q 1 q 0 q 0 q 2 q 2 q 2 N N T N N q 0 q 0 q 0 q 1 q 2 q 2 N N N T N q 0 q 0 q 0 q 0 q 1 q 2 N N N N T

Column Transducer  Configurations: columns – members of S  Transitions :  Initial configurations : columns of initial states  Final configurations : columns of final states a q 0 r 0 b q 1 r 1 q 2 r 2 q 3 r 3 c d e x yx a e + y

N/N T/NN/T N/N Example : Token passing R q 0 q 1 q 2 q 0 q 0 q 0 q 0 q 0 q 0 initial columns : q 0 q 0 q 0 q 0 q 2 q 2 q 2 q 2 q 2 q 2 final columns : q 2 q 2 q 2 q 2 q 2 q 1 q 0 q 0 q 2 q 2 q 1 q 0 N N q 2 q 1 q 0 q 0 q 2 q 2 q 1 q 0 N N N T N and therefore transitions : e.g.

N/N T/NN/T N/N Example : Token passing R q 0 q 1 q 2 q 0 q 0 q 0 q 0 q 0 q 0 initial columns : q 0 q 0 q 0 q 0 q 2 q 2 q 2 q 2 q 2 q 2 final columns : q 2 q 2 q 2 q 2  Transducer language = transitive closure  Problem : number of columns infinite !!  Solution: abstraction !! =

Computing Abstract Transducer  Start with original transducer  repeat  Define equivalence on columns  until construction stabilizes

Computing Abstract Transducer  Start with initial configurations (columns)  repeat then add  Define equivalence on columns xz a b y w b c if and XyXy zwzw a c  until construction stabilizes

Computing Abstract Transducer  Start with initial configurations (columns)  repeat then add  Define equivalence on columns if x y then merge x and y xz a b y w b c if and XyXy zwzw a c  until construction stabilizes

Defining Left-copying states Right-copying states Non-copying states N T N T T T N N T T

Defining Left-copying states Right-copying states Non-copying states N T N T T T N N T T x y if x = y modulo deletion of identical left- or right-copying neighbours

N/N T/NN/T N/N Example : Token passing R q 0 q 1 q 2 Left-copying state : Right-copying state : q 02 q q 0 q 0 q 1 q 2 q 2 q 0 q 1 q 2 q 2

N/N N/T N/N Example : Token passing q 2 T/N q 1 q 0

N/N T/N N/T N/N Example : Token passing q 2 q 0 q 0 q 1 q 0 T/N q 1 q 0

N/N T/N N/T N/N Example : Token passing q 2 q 0 q 0 q 1 q 0 T/N q 1 q 0

N/T N/N Example : Token passing q 2 q 1 q 0 T/N q 1 q 0 N/N

T/N N/T N/N Example : Token passing q 2 q 1 q 0 T/N q 1 q 0 q 2 q 1 N/N

T/N N/T N/N Example : Token passing q 2 q 1 q 0 T/N q 1 q 0 q 2 q 1 q 2 q 2 N/T N/N

T/N N/T N/N Example : Token passing q 2 q 1 q 0 T/N q 1 q 0 q 2 q 1 q 2 q 2 N/T N/N

T/N N/T N/N Example : Token passing q 2 q 1 q 0 T/N q 1 q 0 q 2 q 1 N/T N/N

T/N N/T N/N Example : Token passing q 2 q 1 q 0 T/N q 1 q 0 q 2 q 1 N/T q 0 q 2 q 1 q 0 q 1 q 0 N/N

T/N N/T N/N Example : Token passing q 2 q 1 q 0 T/N q 1 q 0 q 2 q 1 N/T q 0 q 2 q 1 q 0 q 1 q 0 N/N

T/N N/T N/N Example : Token passing q 2 T/N q 1 q 0 q 2 q 1 N/T q 2 q 1 q 0 q 1 q 0 N/N

T/N N/T N/N Example : Token passing q 2 T/N q 1 q 0 q 2 q 1 N/T q 2 q 1 q 0 q 1 q 0 N/N q 2 q 2 q 1

T/N N/T N/N Example : Token passing q 2 T/N q 1 q 0 q 2 q 1 N/T q 2 q 1 q 0 q 1 q 0 N/N q 2 q 2 q 1

T/N N/T N/N Example : Token passing q 2 T/N q 1 q 0 q 2 q 1 N/T q 2 q 1 q 0 q 1 q 0 N/N

T/N N/T N/N Example : Token passing q 2 T/N q 1 q 0 q 2 q 1 N/T q 2 q 1 q 0 q 1 q 0 N/N q 2 q 1 q 0 q 0

T/N N/T N/N Example : Token passing q 2 T/N q 1 q 0 q 2 q 1 N/T q 2 q 1 q 0 q 1 q 0 N/N q 2 q 1 q 0 q 0

T/N N/T N/N Example : Token passing q 2 T/N q 1 q 0 q 2 q 1 N/T q 2 q 1 q 0 q 1 q 0 N/N

initial states equivalence class final states x y Exactness of

initial states equivalence class final states x y Exactness of z

initial states equivalence class final states x y Exactness of z How to define ?

Forward Simulation F x1x1 x2x2 y1y1 F

F x1x1 x2x2 y1y1 F  y2y2 F

F x1x1 x2x2 y1y1 F  y2y2 F Backward Simulation B x1x1 y1y1 y2y2 B

Forward Simulation F x1x1 x2x2 y1y1 F  y2y2 F Backward Simulation B x1x1 y1y1 y2y2 B  y1y1 B

x y  z  w y x F F B B iff Equivalence FB, independent: y  w z F B F B x

Example B xyx = y modulo deletion of identical left-copying neighbours

Example B xyx = y modulo deletion of identical left-copying neighbours q 0 q 0 q 1 q 2 q 0 q 1 q 2 B

Example B xyx = y modulo deletion of identical left-copying neighbours q 0 q 0 q 1 q 2 q 0 q 1 q 2 B F xy q 0 q 1 q 2 F x = y modulo deletion of identical right-copying neighbours q 0 q 1 q 2 q 2

q 0 q 0 q 1 q 2 q 0 q 0 q 0 q 1 q 2 q 0 q 0 q 0 q 1 q 2 q 0 q 2 Independence F B

q 0 q 0 q 1 q 2 q 0 q 0 q 0 q 1 q 2 q 0 q 0 q 0 q 1 q 2 q 0 q 2 F B F B

q 0 q 0 q 1 q 2 q 0 q 0 q 0 q 1 q 2 q 0 q 0 q 0 q 1 q 2 q 0 q 2 q 0 F B F B

q 0 q 0 q 1 q 2 q 0 q 0 q 0 q 1 q 2 q 0 q 0 q 0 q 1 q 2 q 0 q 2 q 0 q 1 F B F B

q 0 q 0 q 1 q 2 q 0 q 0 q 0 q 1 q 2 q 0 q 0 q 0 q 1 q 2 q 0 q 2 q 0 q 1 q 2 q 2 F B F B

q 0 q 0 q 1 q 2 q 0 q 0 q 0 q 1 q 2 q 0 q 0 q 0 q 1 q 2 q 0 q 2 q 0 q 0 q 1 q 2 q 0 q 2 F B F B

Example B xyx = y modulo deletion of identical left-copying neighbours F xy x = y modulo deletion of identical right-copying neighbours xx = y modulo deletion of identical left- or right-copying neighbours y Induced equivalence :

Consequence w F x y

w F x y z  B F

[x 0 ][x 1 ][x 2 ][x 3 ] y1y1 y2y2 y3y3

[x 0 ][x 1 ][x 2 ][x 3 ] y1y1 w0w0 F y2y2 y3y3 x 0 =

[x 0 ][x 1 ][x 2 ][x 3 ] y1y1 w0w0 v1v1 FF y2y2 y3y3 x 0 =

[x 0 ][x 1 ][x 2 ][x 3 ] y1y1 w0w0 v1v1 FF B y2y2 w1w1 F y3y3 x 0 =

[x 0 ][x 1 ][x 2 ][x 3 ] y1y1 w0w0 v1v1 FF B y2y2 w1w1 v2v2 FF B y3y3 F w2w2 x 0 =

[x 0 ][x 1 ][x 2 ][x 3 ] y1y1 w0w0 v1v1 FF B y2y2 w1w1 v2v2 FF B y3y3 w3w3 v3v3 FF B w2w2 F x 0 =

[x 0 ][x 1 ][x 2 ][x 3 ] y1y1 w0w0 v1v1 FF B y2y2 w1w1 v2v2 FF B y3y3 w3w3 v3v3 FF B w2w2 F z3z3 B x 0 = w3w3

[x 0 ][x 1 ][x 2 ][x 3 ] y1y1 w0w0 v1v1 FF B y2y2 w1w1 v2v2 FF B y3y3 w3w3 v3v3 FF B w2w2 F z3z3 B z2z2 B x 0 = w3w3

[x 0 ][x 1 ][x 2 ][x 3 ] y1y1 w0w0 v1v1 FF B y2y2 w1w1 v2v2 FF B y3y3 w3w3 v3v3 FF B w2w2 F z3z3 B z2z2 B z1z1 B x 0 = w3w3

[x 0 ][x 1 ][x 2 ][x 3 ] y1y1 w0w0 v1v1 FF B y2y2 w1w1 v2v2 FF B y3y3 w3w3 v3v3 FF B w2w2 F z3z3 B z2z2 B z1z1 B z0z0 B x 0 = w3w3

Other Examples: Szymanski’s Algorithm (idealized) Pseudocode for process i 1: await  j : j  i ::  s j 2: w i, s i := true,true 3: if  j : j  i :: (pc j  1 /\  w j ) then s i := false; goto 4 else w i := false; goto 5 4: await  j : j  i :: (s j /\  w j ) then w i, s i := false,true 5: await  j : j  i ::  w j 6: await  j : j  i ::  s j 7: s i := false; goto 1

Built states in transitive closures

www.regularmodelchecking.com All implementation available Implementation of automata with symbolic edges (BDDs) Source available under GPL

Future Work Tree-like Topologies Liveness properties Non-structure-preserving Other kinds of systems: stacks, queues, timed, etc

Download ppt "Regular Model Checking Parosh Aziz Abdulla Uppsala University Cooperation with B. Jonsson, M. Nilsson, J. d’Orso."

Similar presentations