Counter Systems: The Quest for Pushing the Decidability Borders St - - PowerPoint PPT Presentation

Counter Systems: The Quest for Pushing the Decidability Borders

St´ ephane Demri

NYU & CNRS – Marie Curie Fellow

FROCOS & TABLEAUX, September 19th, 2013

Collaborations

• A survey paper and abstract written with Clark Barrett &

Morgan Deters (NYU) in the proceedings.

• Some of the presented results are still subject to on-going

research:

• ACSys group, NYU.
• Amit Dhar, Arnaud Sangnier (LIAFA).
• Members of ANR REACHARD (LSV, LABRI).
• Less recent collaborations on the subject with M. Bersani,
• R. Gascon, V. Goranko, D. D’Souza, R. Lazi´

c, etc.

2

Overview

1 Presburger Counter Systems Definition Decision Problems Subclasses of PCS 2 Loops, Path Schemas and Flatness Loops & Path Schemas Flatness 3 Verifying Temporal Properties Presburger LTL Model-Checking Complexity 4 Path Schema Subsumption: An Overview

3

Presburger Counter Systems

Presburger Counter Systems

4

Integer Programs

• Finite-state automaton with counters interpreted by

non-negative integers.

x2++ x1−− x3 == 0? x2++ x1−−

Presburger Counter Systems

5

Integer Programs

• Finite-state automaton with counters interpreted by

non-negative integers.

x2++ x1−− x3 == 0? x2++ x1−−

• Many applications:
• Broadcast protocols, Petri nets, . . .
• Programs with pointer variables.

[Bouajjani et al., CAV’06]

• Replicated finite-state programs.

[Kaiser & Kroening & Wahl, CAV’10]

• Relationships with data logics.

[Boja´ nczyk et al., TOCL 11]

Presburger Counter Systems

5

Integer Programs

• Finite-state automaton with counters interpreted by

non-negative integers.

x2++ x1−− x3 == 0? x2++ x1−−

• Many applications:
• Broadcast protocols, Petri nets, . . .
• Programs with pointer variables.

[Bouajjani et al., CAV’06]

• Replicated finite-state programs.

[Kaiser & Kroening & Wahl, CAV’10]

• Relationships with data logics.

[Boja´ nczyk et al., TOCL 11]

• Techniques for model-checking infinite-state systems are

required for formal verification.

• But, integer programs can simulate Turing machines.
• Checking safety or liveness properties is undecidable.

Presburger Counter Systems

5

Taming Verification of Counter Machines

• Design of subclasses with decidable reachability problems
• Vector addition systems (≈ Petri nets)

[Kosaraju, STOC’82]

• Flat relational counter machines.

[Comon & Jurski, CAV’98]

• Reversal-bounded counter machines.

[Ibarra, JACM 78]

• Flat affine counter machines with finite monoids.

[Boigelot, PhD 98; Finkel & Leroux, FSTTCS’02]

. . .

Presburger Counter Systems

6

Taming Verification of Counter Machines

• Design of subclasses with decidable reachability problems
• Vector addition systems (≈ Petri nets)

[Kosaraju, STOC’82]

• Flat relational counter machines.

[Comon & Jurski, CAV’98]

• Reversal-bounded counter machines.

[Ibarra, JACM 78]

• Flat affine counter machines with finite monoids.

[Boigelot, PhD 98; Finkel & Leroux, FSTTCS’02]

. . .

• Decision procedures
• Translation into Presburger arithmetic.

[Fribourg & Ols´ en, CONCUR’97; Finkel & Leroux, FSTTCS’02]

• Direct analysis on runs.

[Rackoff, TCS 78]

• Approximating reachability sets.

[Karp & Miller, JCSS 69]

• Well-structured transition systems.

[Finkel & Schnoebelen, TCS 01]

Presburger Counter Systems

6

Taming Verification of Counter Machines

• Design of subclasses with decidable reachability problems
• Vector addition systems (≈ Petri nets)

[Kosaraju, STOC’82]

• Flat relational counter machines.

[Comon & Jurski, CAV’98]

• Reversal-bounded counter machines.

[Ibarra, JACM 78]

• Flat affine counter machines with finite monoids.

[Boigelot, PhD 98; Finkel & Leroux, FSTTCS’02]

. . .

• Decision procedures
• Translation into Presburger arithmetic.

[Fribourg & Ols´ en, CONCUR’97; Finkel & Leroux, FSTTCS’02]

• Direct analysis on runs.

[Rackoff, TCS 78]

• Approximating reachability sets.

[Karp & Miller, JCSS 69]

• Well-structured transition systems.

[Finkel & Schnoebelen, TCS 01]

• Tools: FAST, LASH, TREX, FLATA, . . .

Presburger Counter Systems

6

A Fundamental Decidable Theory

• First-order theory of N, +, ≤ introduced by Mojzesz

Presburger (1929).

• Use in guards and in symbolic representations for sets of

tuples.

• Many properties: decidability, quantifier elimination,

quantifier-free fragment in NP, . . .

Presburger Counter Systems

7

A Fundamental Decidable Theory

• First-order theory of N, +, ≤ introduced by Mojzesz

Presburger (1929).

• Use in guards and in symbolic representations for sets of

tuples.

• Many properties: decidability, quantifier elimination,

quantifier-free fragment in NP, . . .

• Terms t = a1x1 + · · · + anxn + k where a1, . . . , an ∈ N, k is

in N and the xi’s are variables.

• Presburger formulae: φ ::= t ≤ t′ | ¬φ | φ ∧ φ | ∃ x φ

Presburger Counter Systems

7

Presburger Arithmetic

• Linear fragment: no quantification.
• Valuation v : VAR → N + extension to all terms with

v(a1x1 + · · · + anxn + k)

def

= a1v(x1) + · · · + anv(xn) + k

Presburger Counter Systems

8

Presburger Arithmetic

• Linear fragment: no quantification.
• Valuation v : VAR → N + extension to all terms with

v(a1x1 + · · · + anxn + k)

def

= a1v(x1) + · · · + anv(xn) + k

• v |

= t ≤ t′ iff v(t) ≤ v(t′); v | = φ ∧ φ′ iff v | = φ and v | = φ′,

• v |

= ∃x φ

def

⇔ there is n ∈ N such that v[x → n] | = φ.

Presburger Counter Systems

8

Presburger Arithmetic

• Linear fragment: no quantification.
• Valuation v : VAR → N + extension to all terms with

v(a1x1 + · · · + anxn + k)

def

= a1v(x1) + · · · + anv(xn) + k

• v |

= t ≤ t′ iff v(t) ≤ v(t′); v | = φ ∧ φ′ iff v | = φ and v | = φ′,

• v |

= ∃x φ

def

⇔ there is n ∈ N such that v[x → n] | = φ.

• Formula φ(x1, . . . , xn) with n ≥ 1 free variables:

φ(x1, . . . , xn)

def

= {v(x1), . . . , v(xn) ∈ Nn : v | = φ}.

• φ is satisfiable

def

⇔ there is v such that v | = φ.

Presburger Counter Systems

8

Decision Procedures and Tools

• Quantifier elimination and refinements

[Cooper, ML 72; Reddy & Loveland, STOC’78]

• Tools dealing with quantifier-free PA, full PA or quantifier

elimination: Z3, CVC4, Alt-Ergo, Yices2, Omega test.

Presburger Counter Systems

9

Decision Procedures and Tools

• Quantifier elimination and refinements

[Cooper, ML 72; Reddy & Loveland, STOC’78]

• Tools dealing with quantifier-free PA, full PA or quantifier

elimination: Z3, CVC4, Alt-Ergo, Yices2, Omega test.

• Automata-based approach.

[B¨ uchi, ZML 60; Boudet & Comon, CAAP’96]

• Automata-based tools for Presburger arithmetic: LIRA,

suite of libraries TAPAS, MONA, and LASH.

Presburger Counter Systems

9

Presburger Counter Systems (PCS)

• Presburger Counter System C = Q, n, δ of dimension n:
• Q is a nonempty finite set of control states.
• n ≥ 1 is the dimension.
• δ = finite set of transitions of the form t = q, φ, q′ where

q, q′ ∈ Q and φ is a Presburger formula with free variables x1, . . . , xn, x′

1, . . . , x′ n.

q1 q2 q3 q4 q5 q6 q7 q8 q9 q11 q10 x1 = 3x3 inc(2) inc(2) zero(1) inc(1) zero(2) inc(1) dec(1) inc(2) inc(2) dec(2) inc(1) ∃ z x1 = 2z inc(2) dec(1) inc(1) zero(2) inc(1) zero(1) inc(2)

• Configuration q, x ∈ S = Q × Nn.

Presburger Counter Systems

10

Transition System T(C)

• Transition system T(C) = S, −

→:

• q, x −

→ q′, x’

def

⇔ there is t = q, φ, q′ such that v[x ← x, x′ ← x′] | = φ

q1 q2 q3 dec(x) zero(x) inc(x) dec(x) q1, 0 q1, 1 q1, 2 q1, 3 q1, 4 q2, 0 q2, 1 q2, 2 q2, 3 q3, 0

• ∗

− →: reflexive and transitive closure of − →. (sometimes written ReachC)

Presburger Counter Systems

11

Decision Problems

• Reachability problem:

Input: PCS C, q0, x0 and qf, xf. Question: q0, x0 ∗ − → qf, xf?

Presburger Counter Systems

12

Decision Problems

• Reachability problem:

Input: PCS C, q0, x0 and qf, xf. Question: q0, x0 ∗ − → qf, xf?

• Control state reachability problem:

Input: PCS C, q0, x0 and qf. Question: ∃xf q0, x0 ∗ − → qf, xf?

Presburger Counter Systems

12

Decision Problems

• Reachability problem:

Input: PCS C, q0, x0 and qf, xf. Question: q0, x0 ∗ − → qf, xf?

• Control state reachability problem:

Input: PCS C, q0, x0 and qf. Question: ∃xf q0, x0 ∗ − → qf, xf?

• Control state repeated reachability problem:

Input: PCS C, q0, x0 and qf. Question: is there an infinite run starting from q0, x0 such that the control state qf is repeated infinitely often?

Presburger Counter Systems

12

Decision Problems

• Reachability problem:

Input: PCS C, q0, x0 and qf, xf. Question: q0, x0 ∗ − → qf, xf?

• Control state reachability problem:

Input: PCS C, q0, x0 and qf. Question: ∃xf q0, x0 ∗ − → qf, xf?

• Control state repeated reachability problem:

Input: PCS C, q0, x0 and qf. Question: is there an infinite run starting from q0, x0 such that the control state qf is repeated infinitely often?

• Boundedness problem:

Input: PCS C and q0, x0. Question: is ReachC(q0, x0) finite?

Presburger Counter Systems

12

Subclasses of Presburger Counter Systems

• Counter systems (CS): transitions q

φg∧φu

− − − → q′ ∈ δ s.t.

• φg is a Boolean combination of atomic formulae of the form

t ≤ t′ built over x1, . . . , xn (ex: 2x1 + x2 = 3 ∨ x3 ≥ 0),

• φu =

i∈[1,n] x′ i = xi + b(i) where b ∈ Zn.

• Minsky machines are counter systems.
• Vector addition systems with states (VASS): all the

transitions are of the form q

⊤∧φu

− − → q′. (≈ Minsky machines without tests)

Presburger Counter Systems

13

Decidability/Complexity Issues for VASS

• The reachability problem is decidable.

[Mayr, STOC’81; Kosaraju, STOC’82; Leroux, LICS’09]

• No primitive recursive algorithm is known.

(use of well quasi-orderings)

• EXPSPACE-hardness [Lipton, TR 76].
• Boundedness problem for VASS is EXPSPACE-complete.

[Lipton, TR 76; Rackoff, TCS 78]

• Checking equality between accessibility sets of two

configurations is undecidable [Hack, TCS 76].

Presburger Counter Systems

14

Reversal-Bounded Counter Systems

• Reversal: Alternation from nonincreasing mode to

nondecreasing mode and vice-versa.

• Set T: finite set of terms including {x1, . . . , xn}.
• Atomic formulae in guards are of the form t ≤ k or t ≥ k

with k ∈ Z and t is of the form

i aixi with the ai’s in Z.

• A run is r-T-reversal-bounded whenever the number of

reversals of each term in T ≤ r times.

Presburger Counter Systems

15

Reversal-Boundedness Leads to Semilinearity

• Given a CS C, TC

def

= the set of terms t occurring in t ∼ k with ∼∈ {≤, ≥} + counters in {x1, . . . , xn}.

• C, q0, x0 is reversal-bounded

def

⇔ there is r ≥ 0 such that every run from q0, x0 is r-TC-reversal-bounded.

• When T = {x1, . . . , xn}, T-reversal-boundedness is

equivalent to reversal-boundedness from [Ibarra, JACM 78].

Presburger Counter Systems

16

Reversal-Boundedness Leads to Semilinearity

• Given a CS C, TC

def

= the set of terms t occurring in t ∼ k with ∼∈ {≤, ≥} + counters in {x1, . . . , xn}.

• C, q0, x0 is reversal-bounded

def

⇔ there is r ≥ 0 such that every run from q0, x0 is r-TC-reversal-bounded.

• When T = {x1, . . . , xn}, T-reversal-boundedness is

equivalent to reversal-boundedness from [Ibarra, JACM 78].

• Given a CS C, r ≥ 0 and q, q′ ∈ Q, one can effectively

compute a Presburger formula φq,q′(x, y) such that for all v, propositions below are equivalent:

• v |

= φq,q′(x, y),

• there is an r-TC-reversal-bounded run from

q, v(x1), . . . , v(xn) to q′, v(y1), . . . , v(yn).

[Ibarra, JACM 78; Demri & Bersani, FROCOS’11]

Presburger Counter Systems

16

q1 q2 q3 q4 q5 q6 q7 q8 q9 q11 q10 inc(1) inc(2) inc(2) zero(1) inc(1) zero(2) inc(1) dec(1) inc(2) inc(2) dec(2) inc(1) inc(1) inc(2) dec(1) inc(1) zero(2) inc(1) zero(1) inc(2)

φ = (x1 ≥ 2∧x2 ≥ 1∧(x2+1 ≥ x1)∨(x2 ≥ 2∧x1 ≥ 1∧x1+1 ≥ x2) φ = {y ∈ N2 : q1, 0 ∗ − → q9, y}

Presburger Counter Systems

17

PCS with Octagonal Constraints

• Octagonal constraint: conjunction of atomic guards of the

form ±y ± z ≤ k where y, z are in x1, . . . , xn, x′

1, . . . , x′ n, k ∈ Z and ±y is

either y or −y.

[Bozga & Girlea & Iosif, TACAS’09]

• Difference bounds constraint: conjunction of atomic

guards of the form y − z ≤ k where y, z are in x1, . . . , xn, x′

1, . . . , x′ n and k ∈ Z.

[Comon & Jurski, CAV’98]

• Guards on transitions in CS are Boolean combinations of

linear constraints and therefore are incomparable with the above classes of guards.

Presburger Counter Systems

18

Loops, Path Schemas and Flatness

Loops, Path Schemas and Flatness

19

Repeated Loop Effect

• Path p: finite sequence of transitions from δ corresponding

to a path in its control graph.

• Loop: non-empty path l starting and ending by the same

control state.

q r g1, u1 g2, u2

l = t1t2

Loops, Path Schemas and Flatness

20

Repeated Loop Effect

• Path p: finite sequence of transitions from δ corresponding

to a path in its control graph.

• Loop: non-empty path l starting and ending by the same

control state.

q r g1, u1 g2, u2

l = t1t2

• Effect effect(l):

{x, x′ ∈ Nn × Nn : first(l), x l − → last(l), x’}

• Repeated effect effect<ω(l) (a.k.a acceleration):

{x, x′ ∈ Nn × Nn : first(l), x li − → last(l), x′, i ≥ 0}

Loops, Path Schemas and Flatness

20

Loop Effects and Presburger Arithmetic

• Reachability problem for loops:

Input: PCS C, loop l, counter values x0, xf. question: Is x0, xf ∈ effect<ω(l)?

• The repeated effect of loops from counter systems is not

necessarily definable in Presburger arithmetic. (take a loop whose effect is to multiply by 2 a counter)

Loops, Path Schemas and Flatness

21

Loop Effects and Presburger Arithmetic

• Reachability problem for loops:

Input: PCS C, loop l, counter values x0, xf. question: Is x0, xf ∈ effect<ω(l)?

• The repeated effect of loops from counter systems is not

necessarily definable in Presburger arithmetic. (take a loop whose effect is to multiply by 2 a counter)

• The reachability problem for loops for PCS is undecidable.
• The repeated effect of loops made of octagonal constraints

is effectively definable in Presburger arithmetic.

[Comon & Jurski, CAV’98; Bozga & Girlea &Iosif, TACAS’09]

Loops, Path Schemas and Flatness

21

Counting Iteration

• Counting iteration of R ⊆ N2n: RCI ⊆ Nn × N × Nn s.t.

x, i, y ∈ RCI

def

⇔ y can be reached from x in i steps.

• R has a Presburger counting iteration if its counting

iteration is Presburger-definable.

• x, y ∈ R∗ iff there is i ∈ N such that x, i, y ∈ RCI.

Loops, Path Schemas and Flatness

22

Counting Iteration

• Counting iteration of R ⊆ N2n: RCI ⊆ Nn × N × Nn s.t.

x, i, y ∈ RCI

def

⇔ y can be reached from x in i steps.

• R has a Presburger counting iteration if its counting

iteration is Presburger-definable.

• x, y ∈ R∗ iff there is i ∈ N such that x, i, y ∈ RCI.
• {α, α + 1 ∈ N2 : α ∈ N} has a Presburger counting

iteration.

• R = {α, 2α ∈ N2 : α ∈ N} has not.

(R∗ = {α, 2βα ∈ N2 : α, β ∈ N})

Loops, Path Schemas and Flatness

22

Counting Iteration

• Counting iteration of R ⊆ N2n: RCI ⊆ Nn × N × Nn s.t.

x, i, y ∈ RCI

def

⇔ y can be reached from x in i steps.

• R has a Presburger counting iteration if its counting

iteration is Presburger-definable.

• x, y ∈ R∗ iff there is i ∈ N such that x, i, y ∈ RCI.
• {α, α + 1 ∈ N2 : α ∈ N} has a Presburger counting

iteration.

• R = {α, 2α ∈ N2 : α ∈ N} has not.

(R∗ = {α, 2βα ∈ N2 : α, β ∈ N})

• A class of PCS satisfies the property (⋆) when, for every

loop l, effect(l) has the Presburger counting iteration and its Presburger formula is computable.

Loops, Path Schemas and Flatness

22

From Loops to Path Schemas

• Infinitary path schema: alternation of non-loop and loop

segments, ending by a loop, and representing a potentially infinite set of infinite runs.

q0 q1 q2 q3 q4 q5 q0 q5 q5 q3 q4

ω

P = (t0)(t1)+(t1t2)(t3t4)ω t0 t3 t4 t1 t2 t0 t1 t1 t2 t3 t4

• Infinitary path schema = ω-regular expression of the form

p1l+

1 p2l+ 2 . . . pklω k over alphabet δ.

• Finitary path schema: p1l+

1 p2l+ 2 . . . pk (no last loop).

Loops, Path Schemas and Flatness

23

Runs and Path Schemas

• Run ρ respects a path schema when its sequence of

transitions belongs to the language of the path schema.

• Good path schemas are those that are minimal (no loop is

multiple of smaller loops, no segment contains a loop,etc.).

• When (⋆) holds, {x, x′ : q, x ∗

− → q′, x′ respects P} is effectively Presburger-definable (P is finitary).

Loops, Path Schemas and Flatness

24

Runs and Path Schemas

• Run ρ respects a path schema when its sequence of

transitions belongs to the language of the path schema.

• Good path schemas are those that are minimal (no loop is

multiple of smaller loops, no segment contains a loop,etc.).

• When (⋆) holds, {x, x′ : q, x ∗

− → q′, x′ respects P} is effectively Presburger-definable (P is finitary).

• The class of PCS with octagonal constraints enjoys (⋆).

See also the tool FLATA.

[Bozga & Girlea & Iosif, TACAS’09]

• The class CS also enjoys (⋆).

Loops, Path Schemas and Flatness

24

Flat Presburger Counter Systems

• Every state belongs to at most one simple cycle.

[Fribourg & Olsen, CONCUR’97; Comon & Jurski, CAV’98]

q1 q2 q3 q4 q5 q6

Loops, Path Schemas and Flatness

25

Flat Presburger Counter Systems

• Every state belongs to at most one simple cycle.

[Fribourg & Olsen, CONCUR’97; Comon & Jurski, CAV’98]

q1 q2 q3 q4 q5 q6

• In a flat counter system, the number of good infinitary path

schemas is bounded by card(δ)(2×card(δ)).

• Let C be a class of PCS that enjoys (⋆). Then, for every flat

PCS from C, the relation ReachC is Presburger-definable.

• Let C be a class of PCS that enjoys (⋆). The reachability

problem for C is decidable.

Loops, Path Schemas and Flatness

25

Flat Presburger Counter Systems

• Every state belongs to at most one simple cycle.

[Fribourg & Olsen, CONCUR’97; Comon & Jurski, CAV’98]

q1 q2 q3 q4 q5 q6

• In a flat counter system, the number of good infinitary path

schemas is bounded by card(δ)(2×card(δ)).

• Let C be a class of PCS that enjoys (⋆). Then, for every flat

PCS from C, the relation ReachC is Presburger-definable.

• Let C be a class of PCS that enjoys (⋆). The reachability

problem for C is decidable.

• The reachability problem for flat CS is NP-complete.

Loops, Path Schemas and Flatness

25

Flattable Systems

• Flat PCS are not always directly available.
• Relaxed version: reachability captured by a flat unfolding.
• C, q0, x0 is initially flattable iff there is a finite set of

finitary path schemas generating the same configurations.

• Flattable PCS are everywhere.

[Leroux & Sutre, ATVA’05]

• Initialized reversal-bounded CS are initially flattable.
• Initialized gainy counter automata are initially flattable.
• Etc.

Loops, Path Schemas and Flatness

26

Flattable Systems

• Flat PCS are not always directly available.
• Relaxed version: reachability captured by a flat unfolding.
• C, q0, x0 is initially flattable iff there is a finite set of

finitary path schemas generating the same configurations.

• Flattable PCS are everywhere.

[Leroux & Sutre, ATVA’05]

• Initialized reversal-bounded CS are initially flattable.
• Initialized gainy counter automata are initially flattable.
• Etc.
• Flat unfolding of a PCS provides less runs and it can be

used as an underapproximation method.

• For VASS, Presburger-definable reachability set iff initially

flattable.

[Leroux, LICS’13]

Loops, Path Schemas and Flatness

26

We Want More: to Verify Temporal Properties

• Checking how configurations are temporally organized.
• Semilinearity of reachability sets no longer sufficient.

How to combine it with other proof techniques?

• Acceleration methods not designed to verify temporal

properties.

• How to take advantage of advances in the development of

SMT solvers and decision procedures for Presburger arithmetic?

Loops, Path Schemas and Flatness

27

Verifying Temporal Properties

Verifying Temporal Properties

28

Specifying Existence of Runs in Temporal Logic

• Repeated reachability can be obviously expressed by

G F qf.

Verifying Temporal Properties

29

Specifying Existence of Runs in Temporal Logic

• Repeated reachability can be obviously expressed by

G F qf.

• Initialized VASS is unbounded iff there is a run

q, z ∗ − → q′, y ∗ − → q′, y′ with y ≺ y′ for some q′.

• In temporal logic lingua:

q, z | = E ∃ y1, . . . , yn F(

n

• i=1

xi = yi ∧ XF(

n

• i=1

xi ≥ yi∧

n

• i=1

xi > yi))

Verifying Temporal Properties

29

Specifying Existence of Runs in Temporal Logic

• Repeated reachability can be obviously expressed by

G F qf.

• Initialized VASS is unbounded iff there is a run

q, z ∗ − → q′, y ∗ − → q′, y′ with y ≺ y′ for some q′.

• In temporal logic lingua:

q, z | = E ∃ y1, . . . , yn F(

n

• i=1

xi = yi ∧ XF(

n

• i=1

xi ≥ yi∧

n

• i=1

xi > yi))

• Linear-time temporal logics offer genericity and fragments

can be easily designed.

Verifying Temporal Properties

29

Introduction to Presburger LTL

• First-order quantification over counter values, e.g.

∃ y G(x1 ≤ y). ≈ “Along the run, counter 1 is bounded.”

• VARp = {y1, y2, . . .}: set of integer variables.
• VAR = {x1, x2, . . .}: set of counter variables.
• Q = {q1, q2, . . .}: set of control state symbols.

Verifying Temporal Properties

30

Introduction to Presburger LTL

• First-order quantification over counter values, e.g.

∃ y G(x1 ≤ y). ≈ “Along the run, counter 1 is bounded.”

• VARp = {y1, y2, . . .}: set of integer variables.
• VAR = {x1, x2, . . .}: set of counter variables.
• Q = {q1, q2, . . .}: set of control state symbols.
• Formulae:

φ ::= ψ | q | φ ∧ φ | ¬φ | Xφ | φUφ | ∃ y φ

• ψ: Boolean combination of linear constraints over

VAR ∪ VARp.

• q ∈ Q.

Verifying Temporal Properties

30

Satisfaction Relation

• Environment E: partial map VARp → N.

Q × Nn ∋ ρ = q0, x0, q1, x1 · · · qk, xk · · ·

• ρ, i |

=E q

def

⇔ q = qi.

• ρ, i |

=E ψ

def

⇔ vi | = ψ with vi extends E s.t. vi(xj) = xi(j).

• ρ, i |

=E Xφ

def

⇔ ρ, i + 1 | =E φ.

• ρ, i |

=E ∃ y φ iff there is k ∈ N such that ρ, i | =E[y→k] φ.

Verifying Temporal Properties

31

Decision Problems for Presburger LTL

• Semi-closed formula: no variable from VARp is free.

F(x1 = y) is not semi-closed unlike G(x1 > x2) and ∃ y G(x1 ≤ y).

Verifying Temporal Properties

32

Decision Problems for Presburger LTL

• Semi-closed formula: no variable from VARp is free.

F(x1 = y) is not semi-closed unlike G(x1 > x2) and ∃ y G(x1 ≤ y).

• Satisfiability Problem

Input: An Presburger LTL semi-closed formula φ with free counter variables x1, . . . , xn. Question: Is there a model ρ ∈ (Q × Nn) s.t. ρ, 0 | =∅ φ?

• Existential Model-Checking Problem

Input: PCS C = Q, n, δ, q0, x0 and semi-closed formula φ with free variables in {x1, . . . , xn}. Question: Is there an infinite run ρ starting at q0, x0 such that ρ, 0 | =∅ φ? (Infinite runs of PCS are Presburger LTL models)

Verifying Temporal Properties

32

Temporal Logics with Arithmetical Constraints

• Rich literature:
• Constraints on the number of event occurrences.

[Bouajjani et al., LICS’95; Laroussinie et al., TIME’10]

• Constraints on XML documents.

[Dal Zilio & Lugiez, RTA’03; Seidl et al., ICALP’04]

• Temporal semantics of imperative programs.

[Manna & Pnueli, 1992]

Program variable x never decreases below its initial value: ∃y (x = y) ∧ G(x ≥ y)

• Graded modal logics.

See e.g. http://www.cs.man.ac.uk/˜ezolin/ml/

Verifying Temporal Properties

33

Temporal Logics with Arithmetical Constraints

• Rich literature:
• Constraints on the number of event occurrences.

[Bouajjani et al., LICS’95; Laroussinie et al., TIME’10]

• Constraints on XML documents.

[Dal Zilio & Lugiez, RTA’03; Seidl et al., ICALP’04]

• Temporal semantics of imperative programs.

[Manna & Pnueli, 1992]

Program variable x never decreases below its initial value: ∃y (x = y) ∧ G(x ≥ y)

• Graded modal logics.

See e.g. http://www.cs.man.ac.uk/˜ezolin/ml/

• Model-checking restricted to LTL(Q) is already

undecidable.

Verifying Temporal Properties

33

A Fragment CLTL

• ψ(Xi1xj1, . . . , Xikxjk) as a shortcut for

(∃ y1, . . . , yk Xi1(y1 = xj1)∧· · ·∧Xik(yk = xjk)∧ψ(y1, . . . , yk),

• Xix understood as the value of x at the ith next state.
• First counter remains constant: G(x1 = Xx1).
• CLTL: fragment of Presburger LTL such that first-order

quantification at the level of temporal formulae is restricted to formulae ψ(Xi1xj1, . . . , Xikxjk).

Verifying Temporal Properties

34

Satisfiability Problems

• Fragment F0 ∋ φ ::= xi < xj | xi = xj | xi ≤ k.
• Satisfiability problem for CLTL(F0) is PSPACE-complete.

(but not ω-regularity of symbolic models)

[Demri & D’Souza, I&C 07]

Verifying Temporal Properties

35

Satisfiability Problems

• Fragment F0 ∋ φ ::= xi < xj | xi = xj | xi ≤ k.
• Satisfiability problem for CLTL(F0) is PSPACE-complete.

(but not ω-regularity of symbolic models)

[Demri & D’Souza, I&C 07]

• Fragment F1 ∋ φ ::= xi ∼ xj + d | xi ∼ d, d ∈ Z and

∼∈ {<, >, ≤, ≥, =}.

• Satisfiability problem for CLTL2

1(F1) (1 var. + X-length=2) or

for CLTL1

2(F1) is undecidable.

See e.g. [Comon & Cortier, CSL

’00; Demri & Gascon, TCS 09]

Verifying Temporal Properties

35

Satisfiability Problems

• Fragment F0 ∋ φ ::= xi < xj | xi = xj | xi ≤ k.
• Satisfiability problem for CLTL(F0) is PSPACE-complete.

(but not ω-regularity of symbolic models)

[Demri & D’Souza, I&C 07]

• Fragment F1 ∋ φ ::= xi ∼ xj + d | xi ∼ d, d ∈ Z and

∼∈ {<, >, ≤, ≥, =}.

• Satisfiability problem for CLTL2

1(F1) (1 var. + X-length=2) or

for CLTL1

2(F1) is undecidable.

See e.g. [Comon & Cortier, CSL

’00; Demri & Gascon, TCS 09]

• Satisfiability problem for CCTL⋆(F0) (branching-time

version of CLTL(F0)) is decidable. (use of weak MSO with bounding quantifier B)

[Carapelle & Kartzow & Lohrey, CONCUR’13]

Verifying Temporal Properties

35

EXPSPACE Upper Bound for VASS

• Control state repeated reachability problem restricted to

VASS can be solved in exponential space.

• Model-checking problem restricted to LTL(Q) and to VASS

is EXPSPACE-complete.

[Habermehl, ICATPN 97]

• Decidability/undecidability results for linear-time temporal

logic on Petri nets can be found in [Esparza, CAAP’94]; e.g., LTL(Q) + xi = 0 is undecidable.

Verifying Temporal Properties

36

What About Reversal-Bounded Counter Systems?

• Control state repeated reachability problem restricted to

reversal-bounded counter systems is decidable. See e.g.[Dang & Ibarra & San Pietro, FSTTCS’01]

• Problem RBMC:

Input: a CS C, q0, x0, a CLTL formula φ, a bound r ∈ N (in binary), Question: Is there an infinite run ρ from q0, x0 such that ρ, 0 | = φ and ρ is r-T-reversal-bounded with T = TC ∪ Tφ?

Verifying Temporal Properties

37

What About Reversal-Bounded Counter Systems?

• Control state repeated reachability problem restricted to

reversal-bounded counter systems is decidable. See e.g.[Dang & Ibarra & San Pietro, FSTTCS’01]

• Problem RBMC:

Input: a CS C, q0, x0, a CLTL formula φ, a bound r ∈ N (in binary), Question: Is there an infinite run ρ from q0, x0 such that ρ, 0 | = φ and ρ is r-T-reversal-bounded with T = TC ∪ Tφ?

• RBMC is NEXPTIME-complete.

[Howell & Rosier, JCSS 87] [Bersani & Demri, FROCOS’11, Hague & Lin, CAV’11]

(Proof plan: RBMC ≤ repeated reachability ≤ reachabillty)

• Global model-checking is also possible for RBMC.

Verifying Temporal Properties

37

Flat CS and LTL with Arithmetical Constraints

[Demri & Dhar & Sangnier, IJCAR’12]

• Flat CS and arithmetical constraints ≈ guards.

φ ::= q | g | ¬φ | φ∧φ | φ∨φ | Xφ | φUφ | X−1φ | φSφ

• Model-checking flat CS with this fragment is NP-complete.

Verifying Temporal Properties

38

Main Ingredients

• An algorithm in NP starts first by guessing a good infinitary

path schema p1l+

2 p3l+ 4 . . . l+ k−1pklω k

Verifying Temporal Properties

39

Main Ingredients

• An algorithm in NP starts first by guessing a good infinitary

path schema p1l+

2 p3l+ 4 . . . l+ k−1pklω k

• Ingredients of the proof aim at bounding the numbers of

times loops are visited.

Verifying Temporal Properties

39

Main Ingredients

• An algorithm in NP starts first by guessing a good infinitary

path schema p1l+

2 p3l+ 4 . . . l+ k−1pklω k

• Ingredients of the proof aim at bounding the numbers of

times loops are visited.

1 Eliminating disjunctions in guards.

· · · or how to flatten multiple loops with identical updates.

Verifying Temporal Properties

39

Main Ingredients

• An algorithm in NP starts first by guessing a good infinitary

path schema p1l+

2 p3l+ 4 . . . l+ k−1pklω k

• Ingredients of the proof aim at bounding the numbers of

times loops are visited.

1 Eliminating disjunctions in guards.

· · · or how to flatten multiple loops with identical updates.

2 To bound the numbers of times loops are visited when

guards are conjunctions of linear constraints. (loops may be visited an exponential number of times)

Verifying Temporal Properties

39

Main Ingredients

• An algorithm in NP starts first by guessing a good infinitary

path schema p1l+

2 p3l+ 4 . . . l+ k−1pklω k

• Ingredients of the proof aim at bounding the numbers of

times loops are visited.

1 Eliminating disjunctions in guards.

· · · or how to flatten multiple loops with identical updates.

2 To bound the numbers of times loops are visited when

guards are conjunctions of linear constraints. (loops may be visited an exponential number of times)

3 Stuttering Theorem for Past LTL

Verifying Temporal Properties

39

How to Internalize the Choices for Path Schemas

• How to deal with the nondeterminism related to the choice
• f the infinitary path schema using Boolean formulae?
• How to deal with the nondeterminism related to the

unfolding of the path schemas for eliminating disjunctions?

Verifying Temporal Properties

40

How to Internalize the Choices for Path Schemas

• How to deal with the nondeterminism related to the choice
• f the infinitary path schema using Boolean formulae?
• How to deal with the nondeterminism related to the

unfolding of the path schemas for eliminating disjunctions?

• How to deal with the nondeterminism related to the

number of times loops are visited?

• May be related to how to find good accelerations?

See e.g. [Finkel & Leroux, FSTTCS’02; Gonnord, PhD 06]

Verifying Temporal Properties

40

Other Logics on Flat CS

• Model-checking flat counter systems with FO or linear

µ-calculus is PSPACE-complete. (arithmetical constraints are still allowed)

[Demri & Dhar & Sangnier, ICALP’13]

Verifying Temporal Properties

41

Other Logics on Flat CS

• Model-checking flat counter systems with FO or linear

µ-calculus is PSPACE-complete. (arithmetical constraints are still allowed)

[Demri & Dhar & Sangnier, ICALP’13]

• Model-checking flat CS with Presburger CTL⋆ is decidable.

[Demri & Finkel & Goranko & van Drimmelen, JANCL 10]

• By reduction into Presburger arithmetic: runs respecting a

path schema are encoded as tuples of natural numbers by counting how many times loops are visited.

Verifying Temporal Properties

41

Other Logics on Flat CS

• Model-checking flat counter systems with FO or linear

µ-calculus is PSPACE-complete. (arithmetical constraints are still allowed)

[Demri & Dhar & Sangnier, ICALP’13]

• Model-checking flat CS with Presburger CTL⋆ is decidable.

[Demri & Finkel & Goranko & van Drimmelen, JANCL 10]

• By reduction into Presburger arithmetic: runs respecting a

path schema are encoded as tuples of natural numbers by counting how many times loops are visited.

• Open question: decidability status of model-checking flat

CS beyond CTL⋆.

Verifying Temporal Properties

41

Path Schema Subsumption: An Overview

Path Schema Subsumption: An Overview

42

Why Path Schema Enumeration?

• A finite set of path schemas is a simple way to represent a

(potentially) infinite set of runs.

• Enumerating path schemas as a way to underapproximate

the set of runs (bounded model-checking).

Path Schema Subsumption: An Overview

43

Why Path Schema Enumeration?

• A finite set of path schemas is a simple way to represent a

(potentially) infinite set of runs.

• Enumerating path schemas as a way to underapproximate

the set of runs (bounded model-checking).

• How to generate path schemas in a structured and

controlled fashion?

• How to find a finite set of path schemas that fully captures

the behavior of a PCS, if possible?

Path Schema Subsumption: An Overview

43

Why Path Schema Enumeration?

• A finite set of path schemas is a simple way to represent a

(potentially) infinite set of runs.

• Enumerating path schemas as a way to underapproximate

the set of runs (bounded model-checking).

• How to generate path schemas in a structured and

controlled fashion?

• How to find a finite set of path schemas that fully captures

the behavior of a PCS, if possible?

• Strategy in which we have a clear way of detecting whether

we have enumerated sufficiently many path schemas.

Path Schema Subsumption: An Overview

43

Consistency and Subsumption

• Finitary path schemas P1, . . . , Pα, P. All the path schemas

start and end by the same control states.

• Consistency of P wrt the initial condition φinit(y1, . . . , yn):

∃ x1, . . . , xn ∃ x′

1, . . . , x′ n φinit(x1, . . . , xn)∧

ϕP(x1, . . . , xn, x′

1, . . . , x′ n)

• Existence of formula ϕP guaranteed by property (⋆).
• For the class of CS, the consistency problem is

NP-complete.

Path Schema Subsumption: An Overview

44

Consistency and Subsumption

• Finitary path schemas P1, . . . , Pα, P. All the path schemas

start and end by the same control states.

• Consistency of P wrt the initial condition φinit(y1, . . . , yn):

∃ x1, . . . , xn ∃ x′

1, . . . , x′ n φinit(x1, . . . , xn)∧

ϕP(x1, . . . , xn, x′

1, . . . , x′ n)

• Existence of formula ϕP guaranteed by property (⋆).
• For the class of CS, the consistency problem is

NP-complete.

• {P1, . . . , Pα} subsumes P wrt φinit(y1, . . . , yn):

∀ x1, . . . , xn ∀ x′

1, . . . , x′ n (φinit(x1, . . . , xn)∧ϕP(x1, . . . , xn, x′ 1, . . . , x′ n))

⇒

• i∈[1,α]

∃ z1, . . . , zn φinit(z1, . . . , zn) ∧ ϕPi(z1, . . . , zn, x′

1, . . . , x′ n)

Path Schema Subsumption: An Overview

44

General Subsumption (one step beyond reachability)

• [P]φinit

def

= {xf : q0, x0 ∗ − → qf, xf respects P and x0 | = φinit}.

Path Schema Subsumption: An Overview

45

General Subsumption (one step beyond reachability)

• [P]φinit

def

= {xf : q0, x0 ∗ − → qf, xf respects P and x0 | = φinit}.

• Pattern φpat: formula in Presburger LTL without FO

quantification and with free occurrences of y1, . . . , yα. [P]φpat,φinit

def

= {E : ρ = q0, x0 ∗ − → qf, xf respects P, x0 | = φinit & ρ, 0 | =E φpat}

• [P]φinit above corresponds to [P]φpat,φinit with

φpat

def

= F(x1 = y1 ∧ · · · ∧ xn = yn ∧ ¬X⊤)

Path Schema Subsumption: An Overview

45

General Subsumption (one step beyond reachability)

• Pattern φpat: formula in Presburger LTL without FO

quantification and with free occurrences of y1, . . . , yα. [P]φpat,φinit

def

= {E : ρ = q0, x0 ∗ − → qf, xf respects P, x0 | = φinit & ρ, 0 | =E φpat}

• [P]φinit above corresponds to [P]φpat,φinit with

φpat

def

= F(x1 = y1 ∧ · · · ∧ xn = yn ∧ ¬X⊤)

• {P1, . . . , Pα} subsumes P wrt φinit(y1, . . . , yn) and the

pattern φpat

def

⇔ [P]φpat,φinit ⊆ [P1]φpat,φinit ∪ · · · ∪ [Pα]φpat,φinit.

• For any class of PCS satisfying (⋆), there is a reduction

from the generalized path schema subsumption problem to the validity problem for (PA).

Path Schema Subsumption: An Overview

45

How to Deal with Quantifiers

• Subsumption tests contain quantifiers.
• Most well-known Satisfiability Modulo Theories (SMT)

solvers deal with quantifier-free formulae.

• Dealing with quantifiers is usually a difficult task for SMT

solvers.

• Examples of techniques to deal with quantifiers:
• Quantifier elimination. See e.g. [Reddy & Loveland, STOC’78]
• Heuristic instantiation.

See e.g. [Reynolds et al, CADE’13]

• Lazy approach to quantifier elimination.

[Monniaux, CAV’10]

• Challenge: How to use SMT solvers to enumerate path

schemas and to perform subsumption?

Path Schema Subsumption: An Overview

46

A Few Words about the Enumeration Algorithm

• Paper contains a sketch of the algorithm for enumerating

path schemas.

• Subsumption tests parameterized by patterns and cycles

are generated with cycle schemas.

Path Schema Subsumption: An Overview

47

A Few Words about the Enumeration Algorithm

• Paper contains a sketch of the algorithm for enumerating

path schemas.

• Subsumption tests parameterized by patterns and cycles

are generated with cycle schemas.

• Generation of path schemas without arithmetical

constraints is complete, stratified and takes advantage of the generation of cycle schemas.

• With subsumption on counter values, a complete version of

the algorithm can be obtained if cycles are generated independently of cycle schemas.

Path Schema Subsumption: An Overview

47

Concluding Remarks

• Verification of temporal properties on PCS in its infancy.
• Need for methods to deal with (full) Presburger arithmetic
• r for proof systems dealing with model-checking.
• How to take advantage of recent developments on

SAT/SMT solvers to deal with nondeterminism, quantified formulae etc.?

Path Schema Subsumption: An Overview

48

Concluding Remarks

• Verification of temporal properties on PCS in its infancy.
• Need for methods to deal with (full) Presburger arithmetic
• r for proof systems dealing with model-checking.
• How to take advantage of recent developments on

SAT/SMT solvers to deal with nondeterminism, quantified formulae etc.?

• Other related trends include SMT solvers for

model-checking infinite-state systems, branching VASS, complexity for VASS, relationships between CS and data logics, etc.

Path Schema Subsumption: An Overview

48

IJCAR’14 http://vsl2014.at/ijcar/

• 7th International Joint Conference on Automated

Reasoning, Vienna, Austria.

• Dates
• Submission

January 15th 2014

• Notification

March 31st, 2014

• Conference

July 19th to July 22nd 2014

• Affiliated workshops

July 17, 18, 23, 24

IJCAR 2014

49