Regular Model Checking

1
Regular Model Checking
Parosh Aziz Abdulla Uppsala University
Cooperation with B. Jonsson, M. Nilsson, J. dOrso
2
Outline

• Model Checking
• Infinite-State Systems
• Parameterized Systems
• Regular Model Checking
• Column Transducer Construction
• Sufficient Conditions for Exactness
• Future Work

3
Model Checking
S sat f ?
specification
system
4
Infinite State Systems
1. Unbounded Data Structures

• Timed Automata
• Push-Down Automata
• Communicating Finite State Automata
• Counter Automata

2. Unbounded Control Structures

• Parameterized Systems
• Dynamic Systems

5
Parameterized Systems

• Mutual exclusion protocols
• Cache coherence protocols
• Broadcast protocols

Dynamic Systems

• Security protocols
• Multi-threaded programs

6
Model Checking
S sat f ?
Parameterized system
specification
Classification

• S

• Topology
• Components
• Communication mechanisms

F

• Safety properties
• Liveness properties

7
Topology
set
array
8
Tree
9
Matrix
10
Components

• Simple finite state process
• Extended clocks, counters, buffers, etc.

Communication Mechanism

• binary (rendez-vous)
• broadcast
• Neighbour
• global

11
Simplest Case
Set Finite-state Rendez-vous
Example Parameterized mutual exclusion
R0? R1
R0? R1
R0
R0? R1
R0
R0
Counter abstraction Petri net
12
Petri Net Model
W
C
R0? R1
R0
R0
Initial marking
No token in C, 1 token in (R0)
Bad markings
At least 2 tokens in C
13
Parameterized System of Finite-Sate Processes
(Geman Sistla)
Finite-state process
a
Synchronize a , b
b
Parameterized System
Petri Net Representation
14
Parameterized System of Timed Processes (Timed
Networks)
x0
timed process
a
xlt5
Synchronize a , b
b
Parameterized System
00
Timed Petri Net Representation
05
15
Array of Finite-State Processes

• in general undecidable
• use Regular Model Checking
• Kesten et al 97

16
Example Szymanskis Algorithm
Pseudocode for process i 1 await ?j j ? i
?sj 2 wi , si true,true 3 if ?j j ? i
(pcj ? 1 /\ ?wj) then si
false goto 4 else wi false
goto 5 4 await ?j j ? i (sj /\ ?wj)
then wi , si false,true 5 await ?j
j ? i ?wj 6 await ?j j ? i ?sj 7 si
false goto 1
17
Linear Process Networks Token Passing
N
N
N
N
T
?
18
Linear Process Networks Token Passing
T
N
N
N
N
?
19
Linear Process Networks Token Passing
N
T
N
N
N
?
20
Token Passing Model

• Alphabet S N , T
• Configurations words over S
• Initial Configurations T N (regular lang.)
• Transition Relation transducer

T/N
N/T
N/N
N/N
21
A Run of the Transducer
T/N
N/T
N/N
N/N
R
T N N N
Initial configuration (T N)
22
A Run of the Transducer
T/N
N/T
N/N
N/N
R
T N N N
Initial configuration (T N)
R
N T N N
23
A Run of the Transducer
T/N
N/T
N/N
N/N
R
T N N N
Initial configuration (T N)
R
N T N N
R
N N T N
24
A Run of the Transducer
T/N
N/T
N/N
N/N
R
T N N N
Initial configuration (T N)
R
N T N N
R
N N T N
R
N N N T
25
Symbolic Run of the Transducer
T/N
N/T
N/N
N/N
R
Initial configurations
T N
26
Symbolic Run of the Transducer
T/N
N/T
N/N
N/N
R
Initial configurations
T N
R
N T N
27
Symbolic Run of the Transducer
T/N
N/T
N/N
N/N
R
Initial configurations
T N
R
N T N
R
N N T N
28
Symbolic Run of the Transducer
T/N
N/T
N/N
N/N
R
Initial configurations
T N
R
N T N

• Termination ?
• Ideally compute
• R (T N) N T N

R
N N T N
R
N N N T N
29
Column Transducer
R
T/N
N/T
q
q
1
2
N/N
N/N
T N N N N
30
Column Transducer
R
T/N
N/T
q
q
1
2
N/N
N/N
T N N N N
N T N N N
31
Column Transducer
R
T/N
N/T
q
q
1
2
N/N
N/N
T N N N N
N T N N N
N N T N N
32
Column Transducer
R
T/N
N/T
q
q
1
2
N/N
N/N
T N N N N
N T N N N
N N T N N
N N N T N
33
Column Transducer
R
T/N
N/T
q
q
1
2
N/N
N/N
T N N N N
N T N N N
N N T N N
N N N T N
N N N N T
34
Column Transducer
R
T/N
N/T
q
q
1
2
N/N
N/N
T N N N N
N T N N N
N N T N N
N N N T N
N N N N T
35
Column Transducer

• Configurations columns members of S
• Transitions
• Initial configurations columns of initial
  states
• Final configurations columns of final
  states

x
y
36
Example Token passing
R
T/N
N/T
q
q
1
2
N/N
N/N
initial columns
final columns
transitions
N
N
N
and therefore
e.g.
T
N
N
N
37
Example Token passing
R
T/N
N/T
q
q
1
2
N/N
N/N
initial columns
final columns

• Transducer language transitive closure
• Problem
• number of columns infinite !!
• Solution abstraction !!

38
Computing Abstract Transducer

• Define equivalence on columns

• Start with original transducer

• repeat

• until construction stabilizes

39
Computing Abstract Transducer

• Define equivalence on columns

• Start with initial configurations (columns)

• repeat

a
b

• if

and
then
x
z
y
w
c
b
z w
a
X y
add
c

• until construction stabilizes

40
Computing Abstract Transducer

• Define equivalence on columns

• Start with initial configurations (columns)

• repeat

a
b

• if

and
then
x
z
y
w
c
b
z w
a
X y
add
c

• if x y then merge x and y

• until construction stabilizes

41
Defining
N
T
N
T
N
T
N
T
T
T
Left-copying states
Non-copying states
Right-copying states
42
Defining
N
T
N
T
N
T
N
T
T
T
Left-copying states
Non-copying states
Right-copying states
x y if x y modulo deletion of
identical left- or right-copying neighbours
43
Example Token passing
R
T/N
N/T
q
q
1
2
N/N
N/N
q
q
Left-copying state
Right-copying state
0
2
q
q
0
q
0
q
1
0
q
q
2
1
q
q
2
2
q
2
44
Example Token passing
N/T
T/N
q
q
q
2
1
0
N/N
N/N
45
Example Token passing
N/T
T/N
q
q
q
2
1
0
N/N
N/N
T/N
46
Example Token passing
N/T
T/N
q
q
q
2
1
0
N/N
N/N
T/N
47
Example Token passing
N/T
T/N
q
q
q
2
1
0
N/N
N/N
T/N
48
Example Token passing
N/T
T/N
q
q
q
2
1
0
N/N
N/N
T/N
N/N
49
Example Token passing
N/T
T/N
q
q
q
2
1
0
N/N
N/N
T/N
N/T
N/N
50
Example Token passing
N/T
T/N
q
q
q
2
1
0
N/N
N/N
T/N
N/T
N/N
51
Example Token passing
N/T
T/N
q
q
q
2
1
0
N/N
N/N
T/N
N/T
N/N
52
Example Token passing
N/T
T/N
q
q
q
2
1
0
N/N
N/N
T/N
N/T
N/N
N/N
53
Example Token passing
N/T
T/N
q
q
q
2
1
0
N/N
N/N
T/N
N/T
N/N
N/N
54
Example Token passing
N/T
T/N
q
q
q
2
1
0
N/N
N/N
T/N
N/T
N/N
N/N
55
Example Token passing
N/T
T/N
q
q
q
2
1
0
N/N
N/N
T/N
N/T
N/N
N/N
N/N
56
Example Token passing
N/T
T/N
q
q
q
2
1
0
N/N
N/N
T/N
N/T
N/N
N/N
N/N
57
Example Token passing
N/T
T/N
q
q
q
2
1
0
N/N
N/N
T/N
N/T
N/N
N/N
N/N
58
Example Token passing
N/T
T/N
q
q
q
2
1
0
N/N
N/N
T/N
N/T
N/N
N/N
N/N
N/N
59
Example Token passing
N/T
T/N
q
q
q
2
1
0
N/N
N/N
T/N
N/T
N/N
N/N
N/N
N/N
60
Example Token passing
N/T
T/N
q
q
q
2
1
0
N/N
N/N
T/N
N/T
N/N
N/N
N/N
N/N
61
Exactness of
x
y
equivalence class
final states
initial states
62
Exactness of
z
x
y
equivalence class
final states
initial states
63
Exactness of
z
x
y
equivalence class
final states
initial states
How to define ?
64
Forward Simulation
F
x1
y1
F
x2
65
Forward Simulation
F
x1
y1
F
F
x2

y2
66
Forward Simulation
F
x1
y1
F
F
x2

y2
Backward Simulation
B
x1
y1
B
y2
67
Forward Simulation
F
x1
y1
F
F
x2

y2
Backward Simulation
B
x1
y1
B
B
y2

y1
68
Equivalence

z
F
B
y
x
iff
x
y

w
B
F
,
independent
F
B
x
B
F
y
z

w
B
F
69
Example
x
y
x y modulo deletion of identical left-copying
neighbours
B
70
Example
x
y
x y modulo deletion of identical left-copying
neighbours
B
q
q
0
q
0
q
0
B
q
1
q
1
q
2
2
71
Example
x
y
x y modulo deletion of identical left-copying
neighbours
B
q
q
0
q
0
q
0
B
q
1
q
1
q
2
2
x y modulo deletion of identical right-copying
neighbours
x
y
F
q
q
0
0
q
q
1
1
F
q
q
2
2
q
2
72
q
Independence
0
q
0
q
1
q
2
q
0
q
q
0
0
F
q
q
B
1
0
q
q
2
1
q
q
2
0
q
q
0
2
q
0
73
q
Independence
0
q
0
q
1
q
2
q
0
q
q
0
0
F
q
q
B
1
0
q
q
2
1
q
q
2
0
q
q
0
2
q
0
F
B
74
q
Independence
0
q
0
q
1
q
2
q
0
q
q
0
0
F
q
q
B
1
0
q
q
2
1
q
q
2
0
q
q
0
2
q
q
0
0
F
B
75
q
Independence
0
q
0
q
1
q
2
q
0
q
q
0
0
F
q
q
B
1
0
q
q
2
1
q
q
2
0
q
q
0
2
q
q
0
0
q
1
F
B
76
q
Independence
0
q
0
q
1
q
2
q
0
q
q
0
0
F
q
q
B
1
0
q
q
2
1
q
q
2
0
q
q
0
2
q
q
0
0
q
1
q
2
F
q
B
2
77
q
Independence
0
q
0
q
1
q
2
q
0
q
q
0
0
F
q
q
B
1
0
q
q
2
1
q
q
2
0
q
q
0
2
q
q
0
0
q
1
q
2
F
q
B
2
q
0
q
0
78
Example
x
y
x y modulo deletion of identical left-copying
neighbours
B
x y modulo deletion of identical right-copying
neighbours
x
y
F
Induced equivalence
x
x y modulo deletion of identical left- or
right-copying neighbours
y
79
Consequence
x
y
F
w
80
Consequence
x
y
F
F
z

w
B
81
x0
x1
x2
x3
y1
y2
y3
82
x0
x1
x2
x3
y1
y2
y3
F
w0
x0
83
x0
x1
x2
x3
y1
y2
y3
F
F
w0
v1
x0
84
x0
x1
x2
x3
y1
y2
y3
F
F
F
w0
v1
w1
x0
B
85
x0
x1
x2
x3
y1
y2
y3
F
F
F
F
F
w0
v1
w1
v2
w2
x0
B
B
86
x0
x1
x2
x3
y1
y2
y3
F
F
F
F
F
F
F
w0
v1
w1
v2
w3
v3
w2
x0
B
B
B
87
x0
x1
x2
x3
y1
y2
y3
F
F
F
F
F
F
F
w0
v1
w1
v2
w3
v3
w2
x0
B
B
B
B
z3
w3
88
x0
x1
x2
x3
y1
y2
y3
F
F
F
F
F
F
F
w0
v1
w1
v2
w3
v3
w2
x0
B
B
B
B
B
z3
z2
w3
89
x0
x1
x2
x3
y1
y2
y3
F
F
F
F
F
F
F
w0
v1
w1
v2
w3
v3
w2
x0
B
B
B
B
B
B
z3
z2
z1
w3
90
x0
x1
x2
x3
y1
y2
y3
F
F
F
F
F
F
F
w0
v1
w1
v2
w3
v3
w2
x0
B
B
B
B
B
B
B
z3
z2
z1
z0
w3
91
Other Examples Szymanskis Algorithm (idealized)
Pseudocode for process i 1 await ?j j ? i
?sj 2 wi , si true,true 3 if ?j j ? i
(pcj ? 1 /\ ?wj) then si
false goto 4 else wi false
goto 5 4 await ?j j ? i (sj /\ ?wj)
then wi , si false,true 5 await ?j
j ? i ?wj 6 await ?j j ? i ?sj 7 si
false goto 1
92
Built states in transitive closures
93
www.regularmodelchecking.com

• All implementation available
• Implementation of automata with symbolic edges
  (BDDs)
• Source available under GPL

94
Future Work

• Tree-like Topologies
• Liveness properties
• Non-structure-preserving
• Other kinds of systems stacks, queues, timed,
  etc