Uppsala Dissertations from
the Faculty of Science and Technology
50
New Directions in Symbolic
atUppsalaUniversity,November25,2003.
UppsaladissertationsfromtheFacultyofScience andTechnology50.
Distribution: UppsalaUniversityLibrary,Box510,SE-75120Uppsala,Sweden.
Julien d'Orso
New Directions in Symbolic Model Checking
ABSTRACT
d'Orso,J.2003: New Directionsin Symbolic ModelChecking. Acta Universitatis
Upsaliensis. UppsaladissertationsfromtheFacultyofScience andTechnology50.
130pp. Uppsala. ISBN91-554-5781-9. ISSN1104-2516.
In today's computer engineering, requirements for generally high reliability have
pushed the notionof testing to its limits. Many disciplines are moving, or have
already moved, to more formal methods to ensure correctness. This is done by
comparingthebehaviorofthesystemasitisimplementedagainstasetofrequire-
ments. Theultimategoalisto createmethods andtoolsthatareableto perform
thiskindofvercationautomatically: thisis calledModel Checking.
Although thenotionof model checkinghas existed fortwodecades, adoption
by theindustryhas been hampered by itspoorapplicabilityto complexsystems.
Duringthe90's, researchershaveintroducedanapproachtocopewithlarge(even
innite)statespaces: SymbolicModelChecking. Thekeynotionistorepresentlarge
(possiblyinnite)sets ofstatesbyasmall formula(as opposedto enumeratingall
members).
In this thesis, we investigate applying symbolic methods to dierent typesof
systems:
Parameterizedsystems. We work whithin the framework of Regular Model
Chacking. Inregularmodelchecking,werepresentaglobal stateasaword
overanitealphabet. Atransitionrelationisrepresentedbyaregularlength-
preserving transducer. An important operation is the so-called transitive
closure,whichcharacterizescomposingatransitionrelationwithitselfanar-
bitrarynumberoftimes. Sincecompletenesscannotbeachieved,wepropose
methods ofcomputingclosuresthatwork asoftenaspossible.
Gameson innitestructures. Innite-state systems for which the transition
relation is monotonic with respect to a well quasi-ordering on states can
be analyzed. We lift the framework of well quasi-ordered domains toward
games. We show that monotonic games are in general undecidable. We
identifyasubclassofmonotonicgames: downward-closedgames. Wepropose
analgorithmtoanalyzesuchgameswithawinningconditionexpressedasa
safetyproperty.
Probabilisticsystems. Wepresentaframeworkforthequantitativeanalysisof
probabilisticsystemswithaninnitestate-space: givenaninitialstates
init ,
aset F of nalstates,andarational>0,computearationalsuchthat
theprobabilityofreachingF form s
init
isbetweenand+. Wepresent
agenericalgorithmandsuÆcientconditionsfortermination.
Julien d'Orso, Department of Information Technology, Uppsala University, Box 337,
First of all, I would like to thank my supervisor, Prof. Parosh Aziz
Abdulla. He got me intersted in the world of research, and helped me
become part of it. Throughout my 4 PhD years in Uppsala, he lent me a
considerable amount of support, especially during the numerous periods
before atoughdeadline. Thank you foryourincrediblepatience!
Many \arigato's" go to my friend of long date Alexandre David. You
treaded alone the dangerous path that lead to Sweden and Uppsala, pio-
neeringtheexchangeprogrammebetweenUppsalauniversityandourschool
back in Brest, France. Although we have had a few bad times, I guess we
survived,didn'twe?
The IT department here in Uppsala has evolved a lot since the day I
started. I would like to thank my fellow PhD students at the Algorithmic
Verication Group: Aletta Nylen, Pritha Mahata, Johann Deneux, Marcus
Nilsson,Lisa Kaati, Noomene Ben Henda,Rezine Ahmedand MayankSak-
sena. You have made our working place bothlivelyand fun. Keep up the
high mood,guys !
Last, but not least, I want to express my deep gratitude to my family
backinFrancefortheirunwaveringsupportandlove. It'sbeen5longyears
sinceI left,butmy heartasalwaysstayed withyou. Andyouknowwhat ?
It was worthit !
This work wassupportedinpart byARTES, theSwedishnetworkfor real-
time research (http://www.artes.uu.se/),aswellasthe European Com-
papers,writtenbetween2001 and 2003. The papers arelistedbelow:
Paper A Parosh A. Abdulla, Bengt Jonsson, Pritha Mahata and Julien
d'Orso. Regular Tree Model Checking. In Proc. 14th Int. Conf. on
Computer Aided Vercation, volume 2404 of Lecture Notes in Com-
puter Science, pages 555-568. Springer Verlag, 2002. Extended ver-
sion.
Paper B Parosh A. Abdulla, Bengt Jonsson, Marcus Nilsson and Julien
d'Orso. RegularModelCheckingmadeSimpleandEÆcient. InProc.
13th Int. Conf. on ConcurrencyTheory,volume2421ofLectureNotes
in Computer Science, pages116-130. SpringerVerlag, 2002.
Paper C Parosh A. Abdulla, Bengt Jonsson, Marcus Nilsson and Julien
d'Orso. Algorithmic Improvements in Regular Model Checking. In
Proc. 15th Int. Conf. onComputer AidedVercation,volume2725of
Lecture Notes in Computer Science, pages 236-248. Springer Verlag,
2003. Extendedversion.
Paper D Parosh A. Abdulla, Ahmed Bouajjani, and Julien d'Orso. De-
ciding MonotonicGames. InProc. 17th Int. Workshop on Computer
Science Logic, volume 2803 of Lecture Notes in Computer Science,
pages 1-14. SpringerVerlag, 2003. Extendedversion.
Paper E Parosh A. Abdulla, Julien d'Orso, and Ahmed Rezine. Quanti-
tative Analysis ofInniteMarkov Chains. June2003. Not published.
Commentson my participation:
Paper A Iparticipatedindevelopingand writingthetechnicalpartifthis
papertogether withParosh Abdulla.
Paper B The technicalframework wasdeveloped andwritten jointlywith
Marcus Nilsson.
Paper C The technicalframework wasdeveloped andwritten jointlywith
Marcus Nilsson.
Paper D AllproofswerewrittenjointlywithParosh Abdulla.
Alexandre David, Johann Deneux, and Julien d'Orso. A Formal Se-
manticsforUML Statecharts. Technical report IT-2003-010. Depart-
ment ofInformationTechnology,Uppsala University. February2003.
ParoshA.Abdulla,AlettaNylen,andJuliend'Orso. SAT-BasedAnal-
ysis ofSymbolicUnfoldings. January 2001. Notpublished.
1 Introduction 1
1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 ParameterizedSystems. . . . . . . . . . . . . . . . . . . . . . 4
1.2.1 RunningExample . . . . . . . . . . . . . . . . . . . . 5
1.2.2 Transitive Closureand ColumnTransducer . . . . . . 6
1.2.3 Methodsof ConstructionfortheTransitiveClosure. . 8
1.3 InniteGames . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.4 InniteProbabilisticSystems . . . . . . . . . . . . . . . . . . 12
1.5 Papersand Contributions . . . . . . . . . . . . . . . . . . . . 14
1.6 Conclusions and FutureWork . . . . . . . . . . . . . . . . . . 14
2 Paper A 19 2.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2 Words . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.3 Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.4 TreeAutomata . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.5 SymbolicTransducers . . . . . . . . . . . . . . . . . . . . . . 27
2.6 Saturation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.7 Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.8 ExperimentalResults. . . . . . . . . . . . . . . . . . . . . . . 41
2.9 Conclusions and FutureWork . . . . . . . . . . . . . . . . . . 44
3 Paper B 49 3.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.2 An Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.3 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.4 Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 62
4.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
4.2 An Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.3 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.4 Acoarse equivalence . . . . . . . . . . . . . . . . . . . . . . . 79
4.5 Implementationof theequivalencerelation. . . . . . . . . . . 81
4.6 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 83
5 Paper D 87 5.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
5.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
5.3 OrderedGames . . . . . . . . . . . . . . . . . . . . . . . . . . 90
5.4 B-DownwardClosedGames . . . . . . . . . . . . . . . . . . . 91
5.5 B-LCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.6 A-Downward ClosedGames . . . . . . . . . . . . . . . . . . . 100
5.7 Undecidabilityof MonotonicGames . . . . . . . . . . . . . . 103
5.8 ParityGames . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
6 Paper E 113 6.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
6.2 TransitionSystems . . . . . . . . . . . . . . . . . . . . . . . . 115
6.3 MarkovChains . . . . . . . . . . . . . . . . . . . . . . . . . . 116
6.4 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.5 ProbabilisticVASS . . . . . . . . . . . . . . . . . . . . . . . . 119
6.6 Almost Coarse MarkovChains . . . . . . . . . . . . . . . . . 121
6.7 ProbabilisticLossyChannel Systems . . . . . . . . . . . . . . 123
6.8 Almost CoarsenessofPLCS . . . . . . . . . . . . . . . . . . . 124
Introduction
1.1 Background
Thesoftwareandhardwarecommunitieshavecometorealizeinthepreced-
ingdecadesthatassystemstendto growmorecomplex,and cooperationof
manyindividualsarerequiredtocompleteagivenproject,thereisagrowing
issueofpotentialmistakes,so-calledbugs. Eventhoughcomputerusershave
become quitetolerant to defectsinsystems that theyuse intheireveryday
life,thereareinstanceswheresuchobviousdefectswouldresultinthedevice
or system to be rejected. Without even mentioning safety-critical applica-
tions, itisusefulto recall thateven everyday,apparentlysimpleappliances
like television sets or Hi-Fi sound components require quite sophisticated
control software (see e.g. [HSLL97 ]). It would denitely be a disgrace for
a user to \reset"a TV because the control software crashed whilepressing
some button on theremote control...
Whiletesting isanindustry-widepractice,experienceshows thatthisis
often not enough: some phenomena cannot be simulated in practice, and
theamountoftimereservedfortestinga given productdoesnotcome close
to allowing a coverage of all possibleexecutions. There is a need for more
formal methods and tools that could analyze an implemented system and
compare it to its specication. Such methods are called Verication. The
ultimate goal of Model Checking is to entirelyautomate these methods, so
that no manual intervention is ever needed duringthe verication process.
As ageneral rule,inmodel checking, theuser provides two descriptions:
The model, which is a description of the system to analyze, using
some formalism. Mostly, models are written using languages which
are variants or extensions of transition systems. Transition systems
consist of a set of states, and a binary relation over states called the
transition relation.
Thespecication,whichisasetofrequirementsthatthemodelshould
satisfy. Historically,there have beentwo main\families" of logics to
reasonwithasystem'sbehaviour,namelylinear-timelogics(LTL)and
branching-time logics (CTL). We will often be interested in a small
subset of these logics, in particular so-called safety properties. Such
propertiesexpressthat \nothingbad willever happen".
Then, the user asks the question \Does the model satisfy the requirement
?". Ideally,boththemodelandspecicationcan befedintoaprogramthat
gives automaticallya(provablycorrect) answer.
Sincetheintroductionofmodelchecking(see e.g. [CES83]), manytools
that can accomplish the task of verication for nite-state systems have
appeared, e.g. VIS ([Gro96]). A limiting factor to their application is the
so-calledstate-spaceexplosionproblem: eachtimeabitofdataormemoryis
addedtoasystem, thesizeofitsstate-spaceismultipliedby2. Researchers
have devisedseveral methodsforcoping withthisproblem:
Approximation methods. Sometimes, it is impossible to accomodate
thewholestate-spaceofasysteminmemoryduringverication. Then,
oneusespartialsearchtechniquesthatunder-orover-approximatethe
system's reachable states. Forexample, themodel checkerSPINuses
an under-approximation calledsupertrace(see [Hol91 ]).
Partialordertechniques. Onemakestheobservationthatnotallinter-
leavingsofindependentactionsneedtobeexploredduringverication
(see e.g. [GW93 , ERV96 ]).
Symbolicmethods. Asetofstatesisnotrepresentedexplicitly,butby
a formulafrom which all members of thesetcan be reconstructed. A
very naturalsymbolicrepresentationisthat of boolean formulas. For
example, theuse of binary decision diagrams (BDD's, see [Bry86 ]),a
compactrepresentationofbooleanfunctions,hasallowedmodelcheck-
ing to become practical for the hardware design community (see e.g.
[BCL +
94 ]).
An even more challenging problemstems from the fact that many sys-
tems that arise naturally have a state-space that can be arbitrarily large,
oreven innite,and thus arebeyond the capabilitiesof nitemethodsand
Controlstructures. Itiscommontodeneprotocols withanarbitrary
number of entities. We call such systems parameterized, since the
numberofparticipantscanbeseenasaparameteroftheprotocol. One
would like to be able to reason about such a protocol independently
of theactualvalueof theparameter.
Data structures. Algorithms areroutinely denedto operate on vari-
ables whose values range over an innite domain, such as counters,
stacks, channels, etc. Similarly,when describing timingaspects of a
system, one naturally usesreal-timed clocks.
To handleinnitesystems,two methodologieshave beenintroduced:
Abstraction. Inabstraction,oneisgivenanabstractionfunctionwhich
maps concretestatesto asmallersetof abstractstates. Theaim isto
constructanabstractimageoftheconcretesystem,andperformveri-
cationonthishopefullytractableimage(seee.g. [LBBO01 , CGL94 ]).
Butforthevericationtobeaccurate,one needstondacompromise
betweenkeepingandthrowingawayinformation. Iftoomuchinforma-
tioniskept,thenthevericationwilltaketoomuchtimeandspace. If
too much informationisdiscarded,thentheabstract systemwillhave
a behaviorinconsistent withthe concrete system. Inmodelchecking,
onehastomakethechoiceoftheabstractionfunctionautomatic. This
taskis very diÆcult.
Extendingthesymbolicapproach. One triesto deal withinnite sets
of states rather than nite sets. The main challenge is to invent an
appropriate (nite) representationfor each new class of systems that
are to be analyzed.
Ourcontributionsrange over thefollowingtopics:
Parameterizedsystems. With standardmodel checkingmethods, one
canonlyverifyaprotocolforaparticularcongurationoftheprotocol
entities. Therefore, forevery instanceoftheprotocol,one needstore-
peatthevericationprocess. Usingtheframeworkofregularlanguages
and transducers, we model and reason about parameterized versions
of protocols. Given the fact that the transitive closure of a regular
transducer is not in general regular, any algorithm that purports to
compute closures of transducers will necessarily be incomplete. The
challenge is to develop methods that will work in as many cases as
Innitegames. Verycloseto theareaof vericationis theproblemof
controller synthesis. Inthat area, one tries to model interactions ofa
controllingsystemwithitsenvironment. Thequestionaskedis,givena
numberof properties thatthewhole systemshouldsatisfy,synthesize
a controller that will preserve these properties, irrespective of what
happensintheenvironment. A veryusefulparadigmforthisproblem
is that of games. The question of synthesis is expressed in terms of
ndinga winning strategy foran appropriatewinning condition.
Innite probabilistic systems. The semantics of languages based on
transition systems usually includes non-determinism, i.e. the notion
thatseveralexecutionsofthesystemarepossible. Onecanexpressfor
examplethefactthat amessageina communicationprotocol maybe
lost. However,non-deterministicbehaviordoesn'tallowdierentiating
betweenpossibleexecutions. Intheexampleofmessage loss,onemay
wish to make a dierence between losing 1 message, and losing 1000
messagesinarow. Anaturalframeworkisthatofprobabilisticsystems,
in which each transition is assigned a probability. We represent such
systems withMarkov chains.
Inthe followingsections,wepresentan overview ofourcontributions.
1.2 Parameterized Systems
We oftenencountersystems inwhich arelativelysimplecomponent (a sort
of \building block") is repeated an arbitrary number of times to form a
complex system. Such systems are called parameterized, in the sense that
theirdenitionuses thenumberof entitiesas aparameter.
Protocols for the control of a shared resource are typical examples of
parameterized systems: for instance mutual exclusion protocols. In these
protocols, several identical participants compete for access to a sharedre-
source(e.g. theright to transmiton a broadcastmedium).
Forsuchprotocols,itisimportantthatthesystemcan beprovencorrect
regardless of the conguration. This kindof reasonning is called paramet-
ric. We underlinethefact that because thesystem can have any size, it is
notpossibleto do anenumerative exhaustive search ofthe state-space ofa
parameterized system: itis innite. We need a symbolic approach to deal
withsuch systems.
The framework of Regular Model Checking provides for boththe mod-