• No results found

New Directions in Symbolic Model Checking

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "New Directions in Symbolic Model Checking"

Copied!
28
0
0

Loading.... (view fulltext now)

Download now ( 28 Page )

Full text

(1)

Uppsala Dissertations from

the Faculty of Science and Technology

50

(2)
(3)

New Directions in Symbolic

(4)

atUppsalaUniversity,November25,2003.

UppsaladissertationsfromtheFacultyofScience andTechnology50.

Distribution: UppsalaUniversityLibrary,Box510,SE-75120Uppsala,Sweden.

Julien d'Orso

New Directions in Symbolic Model Checking

ABSTRACT

d'Orso,J.2003: New Directionsin Symbolic ModelChecking. Acta Universitatis

Upsaliensis. UppsaladissertationsfromtheFacultyofScience andTechnology50.

130pp. Uppsala. ISBN91-554-5781-9. ISSN1104-2516.

In today's computer engineering, requirements for generally high reliability have

pushed the notionof testing to its limits. Many disciplines are moving, or have

already moved, to more formal methods to ensure correctness. This is done by

comparingthebehaviorofthesystemasitisimplementedagainstasetofrequire-

ments. Theultimategoalisto createmethods andtoolsthatareableto perform

thiskindofver cationautomatically: thisis calledModel Checking.

Although thenotionof model checkinghas existed fortwodecades, adoption

by theindustryhas been hampered by itspoorapplicabilityto complexsystems.

Duringthe90's, researchershaveintroducedanapproachtocopewithlarge(even

in nite)statespaces: SymbolicModelChecking. Thekeynotionistorepresentlarge

(possiblyin nite)sets ofstatesbyasmall formula(as opposedto enumeratingall

members).

In this thesis, we investigate applying symbolic methods to di erent typesof

systems:

Parameterizedsystems. We work whithin the framework of Regular Model

Chacking. Inregularmodelchecking,werepresentaglobal stateasaword

overa nitealphabet. Atransitionrelationisrepresentedbyaregularlength-

preserving transducer. An important operation is the so-called transitive

closure,whichcharacterizescomposingatransitionrelationwithitselfanar-

bitrarynumberoftimes. Sincecompletenesscannotbeachieved,wepropose

methods ofcomputingclosuresthatwork asoftenaspossible.

Gameson in nitestructures. In nite-state systems for which the transition

relation is monotonic with respect to a well quasi-ordering on states can

be analyzed. We lift the framework of well quasi-ordered domains toward

games. We show that monotonic games are in general undecidable. We

identifyasubclassofmonotonicgames: downward-closedgames. Wepropose

analgorithmtoanalyzesuchgameswithawinningconditionexpressedasa

safetyproperty.

Probabilisticsystems. Wepresentaframeworkforthequantitativeanalysisof

probabilisticsystemswithanin nitestate-space: givenaninitialstates

init ,

aset F of nalstates,andarational>0,computearationalsuchthat

theprobabilityofreachingF form s

init

isbetweenand+. Wepresent

agenericalgorithmandsuÆcientconditionsfortermination.

Julien d'Orso, Department of Information Technology, Uppsala University, Box 337,

(5)

First of all, I would like to thank my supervisor, Prof. Parosh Aziz

Abdulla. He got me intersted in the world of research, and helped me

become part of it. Throughout my 4 PhD years in Uppsala, he lent me a

considerable amount of support, especially during the numerous periods

before atoughdeadline. Thank you foryourincrediblepatience!

Many \arigato's" go to my friend of long date Alexandre David. You

treaded alone the dangerous path that lead to Sweden and Uppsala, pio-

neeringtheexchangeprogrammebetweenUppsalauniversityandourschool

back in Brest, France. Although we have had a few bad times, I guess we

survived,didn'twe?

The IT department here in Uppsala has evolved a lot since the day I

started. I would like to thank my fellow PhD students at the Algorithmic

Veri cation Group: Aletta Nylen, Pritha Mahata, Johann Deneux, Marcus

Nilsson,Lisa Kaati, Noomene Ben Henda,Rezine Ahmedand MayankSak-

sena. You have made our working place bothlivelyand fun. Keep up the

high mood,guys !

Last, but not least, I want to express my deep gratitude to my family

backinFrancefortheirunwaveringsupportandlove. It'sbeen5longyears

sinceI left,butmy heartasalwaysstayed withyou. Andyouknowwhat ?

It was worthit !

This work wassupportedinpart byARTES, theSwedishnetworkfor real-

time research (http://www.artes.uu.se/),aswellasthe European Com-

(6)

papers,writtenbetween2001 and 2003. The papers arelistedbelow:

Paper A Parosh A. Abdulla, Bengt Jonsson, Pritha Mahata and Julien

d'Orso. Regular Tree Model Checking. In Proc. 14th Int. Conf. on

Computer Aided Ver cation, volume 2404 of Lecture Notes in Com-

puter Science, pages 555-568. Springer Verlag, 2002. Extended ver-

sion.

Paper B Parosh A. Abdulla, Bengt Jonsson, Marcus Nilsson and Julien

d'Orso. RegularModelCheckingmadeSimpleandEÆcient. InProc.

13th Int. Conf. on ConcurrencyTheory,volume2421ofLectureNotes

in Computer Science, pages116-130. SpringerVerlag, 2002.

Paper C Parosh A. Abdulla, Bengt Jonsson, Marcus Nilsson and Julien

d'Orso. Algorithmic Improvements in Regular Model Checking. In

Proc. 15th Int. Conf. onComputer AidedVer cation,volume2725of

Lecture Notes in Computer Science, pages 236-248. Springer Verlag,

2003. Extendedversion.

Paper D Parosh A. Abdulla, Ahmed Bouajjani, and Julien d'Orso. De-

ciding MonotonicGames. InProc. 17th Int. Workshop on Computer

Science Logic, volume 2803 of Lecture Notes in Computer Science,

pages 1-14. SpringerVerlag, 2003. Extendedversion.

Paper E Parosh A. Abdulla, Julien d'Orso, and Ahmed Rezine. Quanti-

tative Analysis ofIn niteMarkov Chains. June2003. Not published.

Commentson my participation:

Paper A Iparticipatedindevelopingand writingthetechnicalpartifthis

papertogether withParosh Abdulla.

Paper B The technicalframework wasdeveloped andwritten jointlywith

Marcus Nilsson.

Paper C The technicalframework wasdeveloped andwritten jointlywith

Marcus Nilsson.

Paper D AllproofswerewrittenjointlywithParosh Abdulla.

(7)

 Alexandre David, Johann Deneux, and Julien d'Orso. A Formal Se-

manticsforUML Statecharts. Technical report IT-2003-010. Depart-

ment ofInformationTechnology,Uppsala University. February2003.

 ParoshA.Abdulla,AlettaNylen,andJuliend'Orso. SAT-BasedAnal-

ysis ofSymbolicUnfoldings. January 2001. Notpublished.

(8)
(9)

1 Introduction 1

1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.2 ParameterizedSystems. . . . . . . . . . . . . . . . . . . . . . 4

1.2.1 RunningExample . . . . . . . . . . . . . . . . . . . . 5

1.2.2 Transitive Closureand ColumnTransducer . . . . . . 6

1.2.3 Methodsof ConstructionfortheTransitiveClosure. . 8

1.3 In niteGames . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.4 In niteProbabilisticSystems . . . . . . . . . . . . . . . . . . 12

1.5 Papersand Contributions . . . . . . . . . . . . . . . . . . . . 14

1.6 Conclusions and FutureWork . . . . . . . . . . . . . . . . . . 14

2 Paper A 19 2.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.2 Words . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.3 Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.4 TreeAutomata . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.5 SymbolicTransducers . . . . . . . . . . . . . . . . . . . . . . 27

2.6 Saturation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

2.7 Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

2.8 ExperimentalResults. . . . . . . . . . . . . . . . . . . . . . . 41

2.9 Conclusions and FutureWork . . . . . . . . . . . . . . . . . . 44

3 Paper B 49 3.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

3.2 An Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

3.3 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

3.4 Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

3.5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 62

(10)

4.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

4.2 An Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

4.3 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

4.4 Acoarse equivalence . . . . . . . . . . . . . . . . . . . . . . . 79

4.5 Implementationof theequivalencerelation. . . . . . . . . . . 81

4.6 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 83

5 Paper D 87 5.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

5.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

5.3 OrderedGames . . . . . . . . . . . . . . . . . . . . . . . . . . 90

5.4 B-DownwardClosedGames . . . . . . . . . . . . . . . . . . . 91

5.5 B-LCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

5.6 A-Downward ClosedGames . . . . . . . . . . . . . . . . . . . 100

5.7 Undecidabilityof MonotonicGames . . . . . . . . . . . . . . 103

5.8 ParityGames . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

6 Paper E 113 6.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

6.2 TransitionSystems . . . . . . . . . . . . . . . . . . . . . . . . 115

6.3 MarkovChains . . . . . . . . . . . . . . . . . . . . . . . . . . 116

6.4 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

6.5 ProbabilisticVASS . . . . . . . . . . . . . . . . . . . . . . . . 119

6.6 Almost Coarse MarkovChains . . . . . . . . . . . . . . . . . 121

6.7 ProbabilisticLossyChannel Systems . . . . . . . . . . . . . . 123

6.8 Almost CoarsenessofPLCS . . . . . . . . . . . . . . . . . . . 124

(11)

Introduction

1.1 Background

Thesoftwareandhardwarecommunitieshavecometorealizeinthepreced-

ingdecadesthatassystemstendto growmorecomplex,and cooperationof

manyindividualsarerequiredtocompleteagivenproject,thereisagrowing

issueofpotentialmistakes,so-calledbugs. Eventhoughcomputerusershave

become quitetolerant to defectsinsystems that theyuse intheireveryday

life,thereareinstanceswheresuchobviousdefectswouldresultinthedevice

or system to be rejected. Without even mentioning safety-critical applica-

tions, itisusefulto recall thateven everyday,apparentlysimpleappliances

like television sets or Hi-Fi sound components require quite sophisticated

control software (see e.g. [HSLL97 ]). It would de nitely be a disgrace for

a user to \reset"a TV because the control software crashed whilepressing

some button on theremote control...

Whiletesting isanindustry-widepractice,experienceshows thatthisis

often not enough: some phenomena cannot be simulated in practice, and

theamountoftimereservedfortestinga given productdoesnotcome close

to allowing a coverage of all possibleexecutions. There is a need for more

formal methods and tools that could analyze an implemented system and

compare it to its speci cation. Such methods are called Veri cation. The

ultimate goal of Model Checking is to entirelyautomate these methods, so

that no manual intervention is ever needed duringthe veri cation process.

As ageneral rule,inmodel checking, theuser provides two descriptions:

 The model, which is a description of the system to analyze, using

some formalism. Mostly, models are written using languages which

are variants or extensions of transition systems. Transition systems

(12)

consist of a set of states, and a binary relation over states called the

transition relation.

 Thespeci cation,whichisasetofrequirementsthatthemodelshould

satisfy. Historically,there have beentwo main\families" of logics to

reasonwithasystem'sbehaviour,namelylinear-timelogics(LTL)and

branching-time logics (CTL). We will often be interested in a small

subset of these logics, in particular so-called safety properties. Such

propertiesexpressthat \nothingbad willever happen".

Then, the user asks the question \Does the model satisfy the requirement

?". Ideally,boththemodelandspeci cationcan befedintoaprogramthat

gives automaticallya(provablycorrect) answer.

Sincetheintroductionofmodelchecking(see e.g. [CES83]), manytools

that can accomplish the task of veri cation for nite-state systems have

appeared, e.g. VIS ([Gro96]). A limiting factor to their application is the

so-calledstate-spaceexplosionproblem: eachtimeabitofdataormemoryis

addedtoasystem, thesizeofitsstate-spaceismultipliedby2. Researchers

have devisedseveral methodsforcoping withthisproblem:

 Approximation methods. Sometimes, it is impossible to accomodate

thewholestate-spaceofasysteminmemoryduringveri cation. Then,

oneusespartialsearchtechniquesthatunder-orover-approximatethe

system's reachable states. Forexample, themodel checkerSPINuses

an under-approximation calledsupertrace(see [Hol91 ]).

 Partialordertechniques. Onemakestheobservationthatnotallinter-

leavingsofindependentactionsneedtobeexploredduringveri cation

(see e.g. [GW93 , ERV96 ]).

 Symbolicmethods. Asetofstatesisnotrepresentedexplicitly,butby

a formulafrom which all members of thesetcan be reconstructed. A

very naturalsymbolicrepresentationisthat of boolean formulas. For

example, theuse of binary decision diagrams (BDD's, see [Bry86 ]),a

compactrepresentationofbooleanfunctions,hasallowedmodelcheck-

ing to become practical for the hardware design community (see e.g.

[BCL +

94 ]).

An even more challenging problemstems from the fact that many sys-

tems that arise naturally have a state-space that can be arbitrarily large,

oreven in nite,and thus arebeyond the capabilitiesof nitemethodsand

(13)

 Controlstructures. Itiscommontode neprotocols withanarbitrary

number of entities. We call such systems parameterized, since the

numberofparticipantscanbeseenasaparameteroftheprotocol. One

would like to be able to reason about such a protocol independently

of theactualvalueof theparameter.

 Data structures. Algorithms areroutinely de nedto operate on vari-

ables whose values range over an in nite domain, such as counters,

stacks, channels, etc. Similarly,when describing timingaspects of a

system, one naturally usesreal-timed clocks.

To handlein nitesystems,two methodologieshave beenintroduced:

 Abstraction. Inabstraction,oneisgivenanabstractionfunctionwhich

maps concretestatesto asmallersetof abstractstates. Theaim isto

constructanabstractimageoftheconcretesystem,andperformveri -

cationonthishopefullytractableimage(seee.g. [LBBO01 , CGL94 ]).

Butfortheveri cationtobeaccurate,one needsto ndacompromise

betweenkeepingandthrowingawayinformation. Iftoomuchinforma-

tioniskept,thentheveri cationwilltaketoomuchtimeandspace. If

too much informationisdiscarded,thentheabstract systemwillhave

a behaviorinconsistent withthe concrete system. Inmodelchecking,

onehastomakethechoiceoftheabstractionfunctionautomatic. This

taskis very diÆcult.

 Extendingthesymbolicapproach. One triesto deal within nite sets

of states rather than nite sets. The main challenge is to invent an

appropriate ( nite) representationfor each new class of systems that

are to be analyzed.

Ourcontributionsrange over thefollowingtopics:

 Parameterizedsystems. With standardmodel checkingmethods, one

canonlyverifyaprotocolforaparticularcon gurationoftheprotocol

entities. Therefore, forevery instanceoftheprotocol,one needstore-

peattheveri cationprocess. Usingtheframeworkofregularlanguages

and transducers, we model and reason about parameterized versions

of protocols. Given the fact that the transitive closure of a regular

transducer is not in general regular, any algorithm that purports to

compute closures of transducers will necessarily be incomplete. The

challenge is to develop methods that will work in as many cases as

(14)

 In nitegames. Verycloseto theareaof veri cationis theproblemof

controller synthesis. Inthat area, one tries to model interactions ofa

controllingsystemwithitsenvironment. Thequestionaskedis,givena

numberof properties thatthewhole systemshouldsatisfy,synthesize

a controller that will preserve these properties, irrespective of what

happensintheenvironment. A veryusefulparadigmforthisproblem

is that of games. The question of synthesis is expressed in terms of

ndinga winning strategy foran appropriatewinning condition.

 In nite probabilistic systems. The semantics of languages based on

transition systems usually includes non-determinism, i.e. the notion

thatseveralexecutionsofthesystemarepossible. Onecanexpressfor

examplethefactthat amessageina communicationprotocol maybe

lost. However,non-deterministicbehaviordoesn'tallowdi erentiating

betweenpossibleexecutions. Intheexampleofmessage loss,onemay

wish to make a di erence between losing 1 message, and losing 1000

messagesinarow. Anaturalframeworkisthatofprobabilisticsystems,

in which each transition is assigned a probability. We represent such

systems withMarkov chains.

Inthe followingsections,wepresentan overview ofourcontributions.

1.2 Parameterized Systems

We oftenencountersystems inwhich arelativelysimplecomponent (a sort

of \building block") is repeated an arbitrary number of times to form a

complex system. Such systems are called parameterized, in the sense that

theirde nitionuses thenumberof entitiesas aparameter.

Protocols for the control of a shared resource are typical examples of

parameterized systems: for instance mutual exclusion protocols. In these

protocols, several identical participants compete for access to a sharedre-

source(e.g. theright to transmiton a broadcastmedium).

Forsuchprotocols,itisimportantthatthesystemcan beprovencorrect

regardless of the con guration. This kindof reasonning is called paramet-

ric. We underlinethefact that because thesystem can have any size, it is

notpossibleto do anenumerative exhaustive search ofthe state-space ofa

parameterized system: itis in nite. We need a symbolic approach to deal

withsuch systems.

The framework of Regular Model Checking provides for boththe mod-

References

Download now ( PDF - 28 Page - 500.11 KB )

Related documents

Executive Summaries in Software Model Checking

This thesis examines the effect of procedure summaries on the running time of a single model checker, Java PathFinder, on a selected suite of experiment programs used in

Incorporating beta-Cyclodextrin with ZnO Nanorods : A Potentiometric Strategy for Selectivity and Detection of Dopamine

Due to the high affinity of ZnO towards the dopamine molecule [46,47] to form a very strong electronic coupling (metal-ligand bond) between the ZnO and the

Effektanalys av IT-systems handlingsutrymme

I denna avhandling presenteras utvecklingen av en utvärderingsmetod (effektanalys) med dess tillhörande analysmodeller (D.EU.PS. Modellen och fenomenanalys) av IT-system

Transport Mode and the Value of Accessibility-A Potential Input for Sustainable Investment Analysis

Improved accessibility with public transport has a positive effect on real estate prices, and the effect is larger for both apartments and single-family houses close to the

Finding the problem : Improvements to increase efficiency and usability when troubleshooting

Another way of explaining their resistance could be that the search features have a higher interaction cost than navigation (Budiu, 2014). This is acknowledged by one of

Traditionella taxiföretag och innovativa substitut : En analys av den teknologiska utvecklingens betydelse för taximarknaden

teknologiska utvecklingen bidragit till att nya företag etablerats på marknaden, samt hur Bzzt som substitut påverkar traditionella taxiföretag.. Vi har genomfört en

Automatisk trimning av externa axlar

F¨or externa axlar anv¨ands normalt inte f¨orfilter, och vi tar d¨arf¨or inte h¨ansyn till dessa i denna rapport.. Den inre hastighetsloopen regleras av en PI-regulator med

grön omställning av näringslivet Styrmedlens betydelse för en

Generella styrmedel kan ha varit mindre verksamma än man har trott De generella styrmedlen, till skillnad från de specifika styrmedlen, har kommit att användas i större