Liveness Checking as Safety Checking for Infinite State Spaces - PowerPoint PPT Presentation

Liveness Checking as Safety Checking for Infinite State Spaces Viktor Schuppan 1 , Armin Biere 2 1 Computer Systems Institute, ETH Z¨ urich 2 Institute for Formal Models and Verification, JKU Linz http://www.inf.ethz.ch/˜schuppan/ INFINITY’05, August 27, 2005, San Francisco, USA

Liveness vs. Safety: Finite State Systems 2 [Biere, Artho, Schuppan, 2002; Schuppan, Biere, 2004/2005] 2’ + 1 2 1 2 �→ 1’ + 3 3’ 3 Benefits: Transform system K + ω -reg. property φ – Selected examples: exponential speed-up into – Shortest counterexamples system K S + safety property φ S (competitive with BMC) such that – More tools/optimizations = φ ⇔ K S | = φ S K | – Q & d liveness algorithms – Fewer liveness proofs � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Contents 3 1. Introduction 2. Finite State Systems 3. Regular Model Checking 4. Pushdown Systems 5. Timed Automata 6. Conclusions � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Finite State Case — Example 4 1 !g r y g (Negation of) specification: (Buggy) traffic light ! G F g r,1 y,1 g,1 r,!g y,!g Product automaton � ω � Counterexample: (r,1) (y,1) (g,1) (r,!g) (y,!g) � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Finite State Case — Example transformation 5 1. Nondeterministically guess loop start, save state 2. Find fair state in loop 3. Find second occurrence of saved state, close loop can stop here! s (r,1) (y,1) (g,1) (r,!g) (y,!g) (r,!g) (y,!g) copy ^ ^ ^ s s s (r,!g) (r,!g) (r,!g) (r,!g) of s 0 0 0 lasso st st st lb lb lc lc fair 0 0 0 1 1 1 1 � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Finite State Case — Formal Definition 6 Let – K = ( S , T , I , L , F = { F 0 } ) be a fair finite Kripke structure, – ˆ s 0 ∈ S arbitrary but fixed. Then K S = ( S S , T S , I S , L S , F S ) is defined as: S S = S × S ×{ st , lb , lc }× I B I S = { ( s 0 , ˆ s 0 , st , 0 ) | s 0 ∈ I }∪ { ( s 0 , s 0 , lb , f ) | s 0 ∈ I ∧ ( f → s 0 ∈ F 0 ) } s , lo , f ) , ( s ′ , ˆ s ′ , lo ′ , f ′ )) | ( s , s ′ ) ∈ T ∧ T S = { (( s , ˆ (( lo = st ∧ lo ′ = st ∧ ¬ f ∧¬ f ′ s ′ = ˆ ∧ ˆ s = ˆ s 0 ) ∨ ( lo = st ∧ lo ′ = lb ∧ ¬ f ∧ ( f ′ → s ′ ∈ F 0 ) s 0 ∧ s ′ = ˆ s ′ ) ∨ ∧ ˆ s = ˆ ( lo = lb ∧ lo ′ = lb ∧ ( f → f ′ ) ∧ ( f ′ → f ∨ s ′ ∈ F 0 ) ∧ ˆ s ′ ) ∨ s = ˆ ( lo = lb ∧ lo ′ = lc ∧ f ∧ f ′ s = s ′ = ˆ s ′ ) ∨ ∧ ˆ ( lo = lc ∧ lo ′ = lc ∧ f ∧ f ′ s ′ )) } ∧ ˆ s = ˆ L S ( s S )= L ( s ) , where s S = ( s , ˆ s , lo , f ) = / 0 F S K has reachable fair loop ⇔ K S has reachable state s S w. lo ( s S ) = lc � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Finite State Case — Complexity 7 1 2 1 2 1 2 1’ 2’ 1’ 2’ 1’ 2’ 3 3 3 loop closed 3’ 3’ 3’ 1 2 1 2 1 2 loop body, 1’ 2’ 1’ 2’ 1’ 2’ 3 3 3 3’ 3’ 3’ fair 1 2 1 2 1 2 loop body, 1’ 2’ 1’ 2’ 1’ 2’ 3 3 3 not fair 3’ 3’ 3’ 1 2 stem 1’ 2’ 3 3’ |S| branches, no changing between branches | S S | O ( | S | 2 ) | T S | = = O ( | S |·| T | ) | ( T S ) ∗ | O ( | S |·| T ∗ | ) r S , d S = O ( d ) = � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Regular Model Checking 8 after [Bouajjani, Jonsson, Nilsson, Touili, 2000] Regular model checking: – Initial configurations: finite automaton on finite words – Transition relation: finite transducer on finite words length-preserving ⇒ lasso-shaped counterexamples Example: Token Passing: t Initial configurations n (t,t) Transition relation (n,n) (t,n) (n,t) (n,n) � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Regular Model Checking — Transformation 1 9 Problem: finite automaton can’t store unbounded words Solution: – Use pairs of characters instead of character: first is original, second is saved component – Prefix with position on lasso Initial configurations: start on stem: (t,−) st don’t save config. (n,−) lb start on loop body: (t,t) save config. (n,n) � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Regular Model Checking — Transformation 2 10 Transition relation: ^ ^ ((t,a),(t,a)) remain in stem, loop body or loop closed ^ ^ ^ ^ ^ ^ ^ ^ ((n,a),(n,a)) ((t,a),(n,a)) ((n,a),(t,a)) ((n,a),(n,a)) (st,st) v (lb,lb) v (lc,lc) ((t,−),(t,t)) save config: (st,lb) switch from stem to loop body ((n,−),(n,n)) ((t,−),(n,n)) ((n,−),(t,t)) ((n,−),(n,n)) (lb,lc) ((t,t),(t,t)) close loop: switch from loop body to loop closed ((n,n),(n,n)) ((t,n),(n,n)) ((n,t),(t,t)) ((n,n),(n,n)) � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Regular Model Checking — Bounded Local Depth 11 Bouajjani et al. show that bounded local depth is sufficient for termination of their computation of the transitive closure. Assume, the original system has bounded local depth k . The transformation preserves boundedness: st st lb lb lc − − a a a l,0 a l,0 a a l,0 a l,0 a l,0 ... ... ... 0,0 l−1,0 k−1,0 − − a a a l,1 a l,1 a a l,1 a l,1 a l,1 0,1 l−1,1 k−1,1 ... ... ... ... ... ... ... ... ... ... − − a a a l,n a l,n a a l,n a l,n a l,n 0,n l−1,n k−1,n < + + + + k 1 k 1 k 3k + 2 = � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Pushdown Systems — Repeatable Heads 1 12 [Bouajjani, Esparza, Maler, 1997] head (control state, top symbol) repeatable head 1. matching heads 2. sufficient stack height stack grows κ stack ϕ φ φ γ (top symbol) δ δ ν β γ γ α s t u v w x y z u w z u control state � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Pushdown Systems — Repeatable Heads 2 13 [Bouajjani, Esparza, Maler, 1997] head (control state, top symbol) repeatable head 1. matching heads 2. sufficient stack height => can repeat infinitely often => found in every infinite run κ ϕ φ φ κ δ stack ϕ φ φ γ (top symbol) δ β γ α s t u v w x y z u v w x y z control state � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Pushdown Systems — Transformation 14 start loop: save head, mark stack height on loop: check stack height, set error flag loop closure: check head, error flag κ,0 stack ϕ,0 φ,0 φ,0 φ,0 γ,0 δ,0 δ,0 δ,0 δ,0 δ,0 δ,0 δ,− ν,− β,− γ,− γ,1 γ,1 γ,1 γ,1 γ,1 γ,1 γ,− γ,− γ,− α,− α,− α,− α,− α,− α,− α,− α,− α,− α,− α,− α,− s t u v w x y z u w z u control state control state (copy) − − − u u u u u u u u u stack top (copy) − − − γ γ γ γ γ γ γ γ γ lasso st st st lb lb lb lb lb lb lc lc lc stack height error − − − 0 0 0 0 0 0 0 0 0 � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Pushdown Systems — No Shortest Counterexamples 15 shortest counterexample χ δ χ δ stack β β β β β β β β soonest 2nd α α α α α α α α α α α α occurrence of repeatable head control state s s s t t t u u u t t t The soonest second occurrence of a repeatable head does not guarantee shortest counterexamples. That requires repeatable prefixes. � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Timed Automata 16 W.r.t. ω -regular properties, timed automata can be abstracted to ordinary finite state automata [Alur, Dill, 1994]. Region construction can be expressed within formalism (with difference constraints). ⇒ technical, “can be done”. � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

Related Work 17 Infinite state systems: Shilov, Yi, Eo, O, Choe, 2001/2005 Reduction of SOEPDL ( > 2M of C. Stirling) to reachability. Requires closure under Cartesian product and subset constructions. Doubly exponential. Bouajjani, Esparza, Maler, 1997 is reduction to reachability. Requires sep- arate computation of “bad states”. Aceto, Bouyer, Burgue˜ no, Larsen, 1998/2003 Power of reachability test- ing for timed automata. Finite state systems: Burch, 1990 Reduction for timed trace structures. Requires user to come up with appropriate time constraint. Ultes-Nitsche, 2002 Satisfaction within fairness corresponds to some safety property. Not always desired semantics. � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.

The End 18 Conclusions – Reduction usually is “pulling the algorithm into the model.” – System size typically grows moderately Future work – Experimental evaluation. – When does it not work? – Use it to come up with liveness algorithm. � 2005 V. Schuppan – Computer Systems Institute, ETH Z¨ c urich.