From Monotonic Transition Systems to Monotonic Games Parosh Aziz Abdulla Uppsala University
Outline Model Checking Infinite-State Systems Methodology: Monotonicity Well Quasi-Orderings Models Petri Nets Lossy Channel Systems Timed Petri Nets Extension to Games
Model Checking T sat ? transition system specification
Model Checking T sat ? transition system specification Transition System
Reachability Init Fin Init reaches Fin?
Transition Systems Reachability Init Fin Init reaches Fin? Saftey Properties = Reachability
Forward Reachability Analysis
Post
Fin Forward Reachability Analysis = computing Post Init Forward Reachability Analysis Post
Backward Reachability Analysis
Pre
Init Fin Backward Reachability Analysis = computing Pre Backward Reachability Analysis Pre
Init Fin Backward Reachability Analysis Fin Forward Reachability Analysis Init
Infinite-State Systems 1. Unbounded Data Structures stacks queues clocks counters, etc. 2. Unbounded Control Structures Parameterized Systems Dynamic Systems
Init Fin Backward Reachability Analysis infinite
Init Fin Backward Reachability Analysis infinite effective symbolic representation
Petri Nets
States = Markings
Transitions
Firing t Transitions t
t is disabled Transitions t
Monotonicity
Petri Nets: infinite state
W C R=1? R:=0 R:=1 Mutual Exclusion
W C R=1? R:=0 R:=1 R=1? R:=0 R:=1 R=1? R:=0 R:=1 R=1? R:=0 R:=1 Mutual Exclusion
R=1? R:=0 R:=1 R=1? R:=0 R:=1 R=1? R:=0 R:=1 Mutual Exclusion
R=1? R:=0 R:=1 R=1? R:=0 R:=1 R=1? R:=0 R:=1 Mutual Exclusion Initial states: R=1 All processes in Infinitely many
R=1? R:=0 R:=1 R=1? R:=0 R:=1 R=1? R:=0 R:=1 Mutual Exclusion Initial states: R=1 All processes in Infinitely many Bad states: Two or more processes in
R=1? R:=0 R:=1 R=1? R:=0 R:=1 R=1? R:=0 R:=1 Mutual Exclusion WC R=1
Mutual Exclusion WC R=1 Set of initial states : infinite
Mutual Exclusion WC R=1
Mutual Exclusion WC R=1 WC
Mutual Exclusion WC R=1
Mutual Exclusion WC R=1 WC
mutual exclusion: #tokens in critical section > 1 critical section Safety Properties
mutual exclusion: #tokens in critical section > 1 Ideal = Upward closed set of markings critical section Safety Properties
mutual exclusion: #tokens in critical section > 1 Ideal = Upward closed set of markings safety = reachability of ideals critical section Safety Properties
Petri Nets Concurrent systems Infinite-state: symbolic representation Monotonic behaviour Safety properties: reachability of ideals
Petri Nets Concurrent systems Infinite-state: symbolic representation Monotonic behaviour Safety properties: reachability of ideals
Monotonicity ideals closed under computing Pre
I Monotonicity ideals closed under computing Pre
Monotonicity ideals closed under computing Pre I
I Monotonicity ideals closed under computing Pre
IPre(I) Monotonicity ideals closed under computing Pre
Fin Backward Reachability Analysis Ideals
Ideals: Symbolic Representation i : index (generator) i : generator of ideal i : denotes all markings larger than i
Ideals: Symbolic Representation index (generator)
Ideals: Symbolic Representation index (generator)
Ideals: Symbolic Representation index (generator)
Ideals: Symbolic Representation index (generator)
Ideals: Symbolic Representation Index for bad states C
Ideals: Symbolic Representation Index for bad states C
Each ideal can be characterized by a finte set of generators
Index is minimal element of its ideal If i j then j i
Index for bad states C Indices of Pre Monotonicity ideals closed under computing Pre
Index for bad states C Indices of Pre Monotonicity ideals closed under computing Pre i: index Pre(i) computable
Backward Reachability Analysis Step 0 : C
Backward Reachability Analysis Step 0 : C Step 1 :
Backward Reachability Analysis Step 0 : C Step 1 :
Backward Reachability Analysis Step 0 : C Step 1 : Step 2 :
Backward Reachability Analysis Step 0 : C Step 1 : Step 2 :
Backward Reachability Analysis Step 0 : C Step 1 : Step 2 : Step 3 :
Backward Reachability Analysis Step 0 : C Step 1 : Step 2 : Step 3 :
What did we need? 1.Computable ordering 2. Monotonicity, Computability of Pre 3. Termination -- Ordering is WQO
What did we need? 1.Computable ordering 2. Monotonicity, Computability of Pre 3. Termination -- Ordering is WQO ”nice properties”
Well Quasi-Ordering (WQO) ( A, ) is WQO if a 0 a 1 a 2 a i,j: i<j and a i a j ( Nat, ) is WQO x 0 x 1 x 2 x : natural numbers i,j: i<j and x i x j WQO : Simple Example
Properties of WQO ( A, = ) is WQO if A is finite a 0 a 1 a 2 b a 3 a 4 a 5 b a Finite Sets
Properties of WQO if ( A, ) is WQO w 2 : b 0 b 1 b 2 b 3 b 4 b 5 b 6 Words w 1 : a 0 a 1 a 2 * then ( A, ) is WQO **
Properties of WQO if ( A, ) is WQO Multisets then ( A M, M ) is WQO M1M1 M2M2 M 1 M M 2
Methodology Start from a finite domain Build more complicated data structures: words, multisets, lists, sets, etc.
Examples -- WQO ( A*, ) A : finite alphabet w 1 w 2 : w 1 subword of w 2 e.g. ab xaybz
Examples -- WQO Words of natural numbers w1w1 w2w2 w1w1 w2w2
Multisets over a finite alphabet
Words of multisets over a finite alphabet
Lossy Channel Systems !m ?n m n n m …… finite state process unbounded lossy channel send and receive operations Infinite state space Perfect channel = Turing machine Motivation: Link protocols
State !m ?n mpnm npn
Transitions Send !m m
Transitions Send !m m Receive ?m m
Transitions Send !m m Receive ?m m Messages may nondeterministically be lost
!m ?n Example p n m p n n m p m m p m
Ordering same colour subword m n p m p n p m n p m p m n p m p n p
Ordering same colour subword m n p m p n p m n p m p m n p m p n p Computable and WQO
Monotonicity w1w1 w2w2 w3w3
w1w1 w2w2 w3w3 Downward closed
Ideal Index m n p denotes all larger states m n m p m m n m p ………… m n p m n m p m m n m p ………… m n p
Each ideal can be characterized by a finite set of generators By WQO of
Computing Pre Pre ( ) contains the following: w
Computing Pre Pre ( ) contains the following: !m if and w = w’ m then w w’
Computing Pre Pre ( ) contains the following: !m if and w = w’ m then !m if and last( w) = m then w w’ w
Computing Pre Pre ( ) contains the following: !m if and w = w’ m then !m if and last( w) = m then ?m if then w w’ w m w
Example Pre ( ) !b if a d !d if a d b ?d if d a d b a d b
Methodology (applied to LCS) 1.Computable ordering 2. Monotonicity, Computability of Pre 3. Ordering is WQO
LCS -- Forward vs Backward Analysis Pre*(w) is regular and computable Post*(w) is regular but not computable
Timed Petri Nets [1,5] [4,7] [0,3] [4, ) [1,2] [3,6]
[1,5] [4,7] [0,3] [1,2] States = Markings [4, ) [3,6]
[1,5] [4,7] [0,3] [1,2] Timed Transitions [4, ) [3,6]
[1,5] [4,7] [0,3] [1,2] [1,5] [4,7] [0,3] [1,2] increase age by [4, ) [3,6] Timed Transitions
[1,5] [4,7] [0,3] [1,2] t Discrete Transitions [4, ) [3,6]
[1,5] [4,7] [0,3] [1,2] t [1,5] [4,7] [0,3] [1,2] t 0.8 Firing t [4, ) [3,6] Discrete Transitions
Timed Petri Nets Concurrent timed systems Infinite-state: symbolic representation Monotonic behaviour Safety properties: reachability of ideals
Equivalence on Markings [1,5] [4,7] [0,3] [1,2] t 0.8 [4, ) max = 7 ages > max behave identically [3,6]
Markings equivalent if they agree on: colours integral parts of clock values ordering on fractional parts Equivalence on Markings
Markings equivalent if they agree on: colours integral parts of clock values ordering on fractional parts Equivalence on Markings
Markings equivalent if they agree on: colours integral parts of clock values ordering on fractional parts Equivalence on Markings
Markings equivalent if they agree on: colours integral parts of clock values ordering on fractional parts Equivalence on Markings
words over multisets over a finite alphabet Markings equivalent if they agree on: colours integral parts of clock values ordering on fractional parts Equivalence on Markings
Ordering on Markings M 1 M 2 iff M 3 : M 1 M 3 M 3 M 2 <
Ordering on Markings M 1 M 2 iff M 3 : M 1 M 3 M 3 M 2 <
subword =
M 1 M 2 iff M 3 : M 1 M 3 M 3 M < Ordering on Markings
M 1 M 2 iff M 3 : M 1 M 3 M 3 M < Ordering on Markings
subword =
is a well quasi-ordering = subword ordering on multisets over a finite alphabet Properties of
Properties of -- Monotonicity M1M1 M3M3 M2M2
M1M1 M3M3 M2M2 M4M4
M1M1 M3M3 M2M2 M4M4 M5M5
M1M1 M3M3 M2M2 M4M4 M5M5 M6M6
M1M1 M3M3 M2M2 M4M4 M5M5 M6M6
Methodology (applied to TPN) 1.Computable ordering 2. Monotonicity, Computability of Pre 3. Ordering is WQO
Player A : Can B take game to ? Player B : Infinite-State Games
Backward Reachability Analysis Characterize losing states for A A-states B-states = Pre( )
Backward Reachability Analysis Characterize losing states for A B-states A-states = Pre( )
Backward Reachability Analysis Characterize losing states for A Pre
Vector Addition Systems with States (VASS) y -- x++ x-- Finite-state automaton operating on variables Variables range over natural numbers Operations: increment or decrement variable
y-- x++ x-- VASS = Petri nets x y VASS Petri net
x-- x++ VASS Games Player A : Player B : Can B take game to ?
x-- x
x-- x A cannot avoid
x-- x
x-- x A can avoid
x-- x
x-- x A cannot avoid
Player A: 0 -- lose 1 -- win >1 -- lose Monotonicity does not imply upward closedness
Backward Reachability Analysis Characterize losing states for A Pre Why scheme does not work for VASS? Monotonicity does not imply that ideals are closed under Pre
2-Counter Machines y-- x++ x-- x=0? Is reachable? Problem undecidable
Simulation of 2-Counter Machines by VASS Games x++ Counter machine VASS game
Simulation of 2-Counter Machines by VASS Games x-- Counter machine VASS game
Simulation of 2-Counter Machines by VASS Games x=0? x-- Counter machine VASS game
Safety undecidable for VASS Games Safety undecidable for Monotonic Games
B-Downward Closed Games s1s1 s2s2 s3s3
s1s1 s2s2 s3s3 any set ideal Pre
Backward Reachability Analysis B-Downward closed games Pre ideal
Backward Reachability Analysis B-Downward closed games Pre ideal characterization of A-losing states decidability of safety ”nice ordering”
Backward Reachability Analysis B-LCS Games B-LCS: characterization of A-losing states Safety decidable for B-LCS games ?n ?m !m !n !m Player B can lose messages
A-Downward Closed Games
Post
A-Downward Closed Games Post
A-Downward Closed Games
F
F
FT
FTFT Termination all leaves closed Evaluate tree: = OR = AND
A-Downward Closed Games FTFT Termination guaranteed if is WQO
A-Downward Closed Games FTFT Safety decidable for A-LCS Games Can we characterize winning states ?
A Problem for LCS !m ?n sfsf { w w } sfsf characterize Set regular But Not computable
A-LCS Games Winning set regular But not computable !m LCS A-LCS game
A-LCS Games Winning set regular But not computable ?m LCS A-LCS game
A-LCS Games Winning set regular But not computable A-LCS game For each :
Conclusions and Planned Work Define a WQO on state space Safety properties: reachability of ideals Examples: Timed Petri nets Parameterized systems Broadcast protocols Cache coherence protocols Lossy channel systems, etc.
Extension to Games Regular Model Checking Stochastic behaviours