Regular Model Checking Ahmed Bouajjani,Benget Jonsson, Marcus Nillson and Tayssir Touili Moran Ben Tulila

Outline Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

About Regular Model Checking A framework for algorithmic verification of infinite-state systems with e.g. queues,stacks,integers, or a parameterized linear (or ring-formed) topology Considers systems whose states can be represented as finite strings of arbitrary length over a finite alphabet We will focus on the problems of computing the set of states that are reachable from some set of initial states, and on computing the transitive closure of the transition relation Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Verification Problems Computing Reachability Sets- Computing Transitive Closure- Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Motivation The problem of verifying that a system satisfies a certain correctness property is usually reduced to checking some form of reachability problem on a transition system model of the system Examples: mutual exclusion Q: So, why not to use standard iteration-based methods? Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion finding loops of parameterized systems

The (Obvious) Answer: Termination is not guaranteed for parameterized or infinite- state systems! -termination is guaranteed only if there is a bound on the distance (in number of transitions) from the initial configurations to any reachable configuration Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Definitions Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Regular Set- Cross Product-

Definitions (Cont.) Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Regular Relation - A regular relation can be conveniently recognized by a finite-state transducer

Definitions (Cont.) Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Transducer- Example: the token passing protocol 012 The transition relation can be represented by a finite set of actions, when each action is a regular relation between strings that can be represented by a finite- state transducer (as the one above)

Program Model Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Example: the token passing protocol

Another Example of System Modeling Systems communicating over unbounded FIFO channels Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion FIFO channel … M1M2M3 Configurations are of the form:

Another Example of System Modeling (Cont.) The system is modeled by: Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Computing the Transitive Closure We will present a technique for computing R + by computing a minimal deterministic transducer that recognizes it At this point – our construction is not guaranteed to terminate (in particular if R+ is not regular) we’ll see how to deal with that problem in a few slides From now on – assume R is a regular relation on Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Computing the Transitive Closure (Cont.) R regular  R can be represented as a finite-state transducer: Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Computing the Transitive Closure (Cont.) Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Computing the Transitive Closure (Cont.) In matrix form: Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Computing the Transitive Closure (Cont.) The first step in our construction will be to regard this matrix as a single run of another transducer The new transducer’s states will be the columns of the matrix The new transducer’s transitions will represent the relationship between adjacent columns in the matrix Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Computing the Transitive Closure (Cont.) We define the Column Transducer for R+ as the tuple n when: - F+ is the set of non-empty sequences of accepting states of R Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion The column transducer for R+ accepts exactly the relation R+

Example Recall our transducer for the transition relation of the token passing protocol : Alphabet slightly changed Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Example The matching column transducer looks as follows: Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

But… The calculated transducer has infinitely many states So, we will try to determinize it using the standard subset- construction, in the hope of decreasing the number of states Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Reminder from Automata Course Subset Construction – standard method for converting a nondeterministic finite automaton (NFA) into a deterministic finite automaton (DFA) which recognizes the same formal language applies most directly to an NFA that does not allow epsilon moves For a NFA (Q, Σ, T, q 0, F) in which Q is the set of states, Σ is the set of input symbols, T is the transition function,q 0 is the initial state, and F is the set of accepting states – the matching DFA has states corresponding to subsets of Q. its initial state is {q 0 }, the transition function of the DFA maps a state S (representing a subset of Q) and an input symbol x to the set T(S,x) = ∪ {T(q,x) | q ∈ Q} and a state S of the DFA is an accepting state if and only if at least one member of S is an accepting state of the NFA Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Subset- Construction Example For the NFA: Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Subset- Construction Example (Cont.) We get the following DFA: Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Determinizing the Column Transducer Let x,y range over columns and X,Y over sets of columns The subset construction applied to the column transducer yields the automaton: Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion when:

Determinizing the Column Transducer (Cont.) A few technical details: The transducer is constructed on-the-fly, starting from the initial state and computing successors for each generated state X and pair of symbols (a,a’) The construction terminates when no new states are generated In most cases, the subset-construction does not yield a finite automaton Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Determinizing the Column Transducer - Example Deterministic transducer built from the column transducer for the token passing protocol: Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Transducer’s Minimization As shown, the subset construction doesn’t necessarily yield a finite automata Therefore, we try to make it smaller by identifying equivalent sets of columns during the construction (and merging them) We’ll define equivalent sets as the following: Two sets X,Y of columns are equivalent if suff(X)=suff(Y) Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Transducer’s Minimization (Cont.) Detection of equivalent sets is based on saturation The basic idea- Extend (saturate) each set X of columns by additional columns x such that Hopefully, two equivalent sets of columns will become identical after saturation Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Transducer’s Minimization (Cont.) Dedinition: A state q in the original transducer R is a copying state if Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Saturation Rule:

Transducer’s Minimization (Cont.) Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion If the set of reachable states in the automaton is finite, then R+ is regular and then, using standard techniques we can obtain a minimal deterministic finite- state transducer which recognizes R+

Transducer’s Minimization - Example The minimal deterministic transducer accepting R+ for the token passing protocol is: Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Termination It can be shown that R+ is regular under some sufficient conditions on a regular relation R (so in that case our construction of R+ yields a finite-state transducer) In order to characterize the class of regular relations R for which our transitive-closure works, we define a notion of local depth: Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion

Termination (Cont.) Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Intuitively, a relation with local depth k never needs to rewrite any element of a word more than k times to relate two words

For example: The transition relation in a parameterized system in which a process passes a token to its right neighbor (token passing protocol) has local depth 2, since in an arbitrary execution sequence, each process is affected at most twice: When receiving the token When sending the token Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Termination (Cont.)

With some modifications, this method enable us to compute as well Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Computing Reachable Configurations

Used to speed up the calculation of a regular fixpoint Applied during the iterative construction of the set of reachable configurations in order to help termination Our technique consists in: guessing automatically the image of iterating a relation starting from some given regular set deciding whether this guess is correct Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Widening

A widening step consists in: guessing the result of iterating R starting from by comparing to In general, this guess can be made by considering the sets up to some finite bound k Adding the obtained set (the guess) to the computed set of configurations Continuing exploration of the configuration space Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Computing Set of Reachable Configurations

Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Computing Set of Reachable Configurations (Cont.) Intuitively: C1  applying R to is to like “adding” between and C2  ( is a fixpoint of and is the least fixpoint of F)

Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Computing Set of Reachable Configurations (Cont.) Our work process: Given two regular sets and we need to find regular sets such that C1 holds and check that condition C2 also holds for these sets Notice that by adding to the computed set of configurations we capture at least all the reachable configurations from by iterating R. Nevertheless, the inclusion isn’t guaranteed by C2 (for any kind of regular relation R)

Computing reachability set from initial configurations for the token passing protocol: Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Computing Set of Reachable Configurations - Example C1 holds since: C2 holds since: in this example, we apply an exact widening step by adding to the set of reachable configurations. By doing this, our procedure terminates and we get the result:

As stated before – our method doesn’t guarantee us finding the set of reachable configurations exactly We will introduce a class of relations for which it can be shown that our widening technique is exact Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Exact Widening

Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Exact Widening (Cont.) A few definitions-

Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Exact Widening (Cont.) A few definitions (cont.) -

Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Exact Widening (Cont.) To prove this theorem we define: Nathreian relations- a length preserving relation R is natherian iff

Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Exact Widening (Cont.) Then we can prove:

Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Constructing Transitive Closures Widening technique can also be used to compute the transitive closure of a length preserving relation R

Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Constructing Transitive Closures Widening technique can also be used to compute the transitive closure of a length preserving relation R

Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Verifying Properties We will show how to reduce the problem of verifying a property specified by a Buchi automaton to the problem of computing the transitive closure Based on the fact that detecting infinite sequences reduces to detecting loops We can use this idea to verify that a program satisfies an ω-regular property under a set of fairness requirements

Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Verifying Properties (Cont.) An ω-language consists of infinite words (ω-words), when each word can be viewed as function from N to Σ, with the value at i giving the symbol at position I The set of all infinite words over Σ is denoted Σ ω Thus, an ω-language L over Σ is a subset of Σ ω, An ω-language L is ω-regular if it has the form: A ω where A is a nonempty regular language not containing the empty string AB, the concatenation of a regular language A and an ω-regular language B (Note that BA is not well-defined) A ∪ B where A and B are ω-regular languages (this rule can only be applied finitely many times)

Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Verifying Properties (Cont.) Every ω-regular language can be recognized by a Buchi automaton, when:

Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Verifying Properties (Cont.) Our verification process: encode the negation of the property to be checked as a Buchi automaton encode each fairness constraint as a Buchi automaton (we can handle parameterized fairness requirements by associating one Buchi automaton with each position in the word, which expresses the fairness constraint for that position) construct the product of the program with the Buchi automaton for the negation of the property, and the Buchi automata for the fairness requirements check whether this product has a reachable “fair loop” in which each Buchi automaton visits an accepting state

Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Verifying Properties (Cont.) Observer bit – one per Buchi automaton. Initialized to “false” in a reachable state and becomes “true” whenever the Buchi automaton reaches an accepting state. Can never become “false” after being set to “true” - transition relation containing both Buchi automata and observer bits Fair loops can be detected by checking whether relates a reachable state with all observer bits being “false” with the same reachable state with all observer bits being “true”

Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Verifying Properties- Example We want to verify the liveness property “every process eventually gets the token” of the token passing protocol: The property negation is: “some process never gets the token” The negation can be expressed by a Buchi automaton accepting an infinite sequence of states of a process where the token is never obtained Encoded by adding a boolean variable r and changing transition relation and set of initial configurations so that: r is true at exactly one position in the word The truth value of r never changes in any position The token is never passed to the position where r holds

Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Verifying Properties- Example (Cont.) The fairness constraint for each process is: The process may not hold the token indefinitely And can be expressed by the Buchi automaton: These Buchi automata are encoded by an extra variable s, initialized to s1 and ranging over {s1,s2} The transition relation is extended so that it includes s

Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Verifying Properties- Example (Cont.) We can now check for fair infinite runs that violate the original property by checking the emptiness of the set:

Introduction Program Model Definition Automata Theoretic Construction of the Transitive Closure Widening Based Techniques Model Checking of -Regular Properties Conclusion Regular model checking – framework for algorithmic verification of parameterized and infinite-state systems Automata theoretic construction of transitive closure of regular relation Widening based techniques for computing set of reachable configurations Implementation during verification

The End