Part II: Symbolic reachability for prefix rewriting Case study: - PowerPoint PPT Presentation

Part II: Symbolic reachability for prefix rewriting

Case study: Drawing skylines static Random r = new Random(); static void m() { if (r.nextBoolean()) { s(); right(); if (r.nextBoolean()) m(); } else { up(); m(); down(); } } static void s() { if (r.nextBoolean()) return; up(); m(); down(); } public static void main() { s(); } 1

Model static void s() { var st: stack of { s 0 , . . . , s 5 , . . . } s 0 → s 1 s 0 → s 2 s 0 : if (r.nextBoolean()) s 1 → ǫ s 1 : return; s 2 → up 0 s 3 s 2 : up(); s 3 → m 0 s 4 s 3 : m(); s 4 : down(); s 4 → down 0 s 5 s 5 : s 5 → ǫ } 2

Symbolic reachability in prefix rewriting Recall: program state ( g , ℓ, n , ( ℓ 1 , n 1 ) . . . ( ℓ k , n k ) ) modelled as a word g � ℓ, n � � ℓ 1 , n 1 � . . . � ℓ k , n k � . Denote by G the alphabet of valuations of globals. Denote by L the alphabet of pairs � ℓ, n � . The set of possible programs states is given by G L ∗ 3

A subset of GL ∗ words is regular if it can be recognized by a finite automaton. Typically, the sets I and D of initial and dangerous program states are regular sets. (Even very simple ones, like g l L ∗ .) Challenge: show that if S ⊆ GL ∗ is (effectively) regular, then so are pre ∗ ( S ) and post ∗ ( S ) . This gives a procedure to check if I ∩ pre ∗ ( D ) = ∅ or post ∗ ( I ) ∩ D = ∅ . 4

Symbolic search Forward symbolic search Initialize S := I Iterate S := S ∪ post ( S ) until fixpoint. Backward search: replace I by D , replace post by pre . Questions: • Are S ∪ post ( S ) and S ∪ pre ( S ) regular for regular S ? • Does the search terminate ? We answer these questions for backward search, the forward case is similar. 5

If S regular, then S ∪ pre ( S ) regular We represent a regular set S ⊆ G L ∗ by an NFA. • G as set of initial states, L as alphabet. w • gw recognized if g − − → q for some final state q . Example: G = { g 0 , g 1 } and L = { l 0 , l 1 } Automaton coding the set g 0 l ∗ 1 l 0 + l 1 l 1 : l 1 l 0 g 0 l 0 l 1 g 1 6

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 1 l 0 g 0 l 0 l 1 g 1 7

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 1 l 0 g 0 g ′ l 0 0 l 1 g 1 g ′ 1 8

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 1 l 0 g 0 g ′ l 0 0 l 1 g 1 g ′ 1 9

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 1 l 0 l 0 g 0 g ′ l 0 0 l 1 g 1 g ′ 1 10

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 1 l 0 l 0 g 0 g ′ l 0 0 l 1 g 1 g ′ 1 11

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 1 l 0 l 0 g 0 g ′ l 0 0 l 1 l 1 g 1 g ′ 1 12

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 1 l 0 l 0 g 0 g ′ l 0 0 l 1 l 1 g 1 g ′ 1 13

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 1 l 0 l 0 g 0 g ′ l 0 0 l 1 l 1 g 1 g ′ 1 14

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 1 l 0 l 0 g 0 g ′ l 0 0 l 1 l 1 g 1 g ′ 1 15

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 0 l 1 l 0 l 0 g 0 g ′ l 0 0 l 1 l 1 g 1 g ′ 1 l 1 16

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 0 l 1 l 0 l 0 g 0 g ′ l 0 0 l 1 l 1 g 1 17

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 0 l 1 l 0 l 0 g 0 g ′′ g ′ l 0 0 0 l 1 l 1 g 1 g ′′ 1 18

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 0 l 1 l 0 l 0 g 0 g ′′ g ′ l 0 0 0 l 1 l 1 g 1 g ′′ 1 19

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 0 l 1 l 0 l 0 l 0 g 0 g ′′ g ′ l 0 0 0 l 1 l 1 g 1 g ′′ 1 20

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 0 l 1 l 0 l 0 l 0 g 0 g ′′ g ′ l 0 0 0 l 1 l 1 g 1 g ′′ 1 21

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 0 l 1 l 0 l 0 l 0 g 0 g ′′ g ′ l 0 0 0 l 1 l 1 l 1 g 1 g ′′ 1 22

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 0 l 1 l 0 l 0 l 0 g 0 g ′′ g ′ l 0 0 0 l 1 l 1 l 1 g 1 g ′′ 1 23

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 0 l 1 l 0 l 0 l 0 g 0 g ′′ g ′ l 0 0 0 l 1 l 1 l 1 l 1 g 1 g ′′ 1 24

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 0 l 1 l 0 l 0 l 0 g 0 g ′′ g ′ l 0 0 0 l 1 l 1 l 1 l 1 g 1 g ′′ 1 25

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 0 l 0 l 0 l 1 l 0 l 0 l 0 g 0 l 0 l 1 l 1 l 1 l 1 g 1 26

R = { g 0 l 0 → g 0 g 1 l 1 → g 0 g 1 l 1 → g 1 l 1 l 0 } , , l 0 l 0 l 0 l 1 l 0 l 0 l 0 g 0 l 0 l 1 l 1 l 1 l 1 g 1 27

Termination fails G = { g 0 , g 1 } , L = { l 0 , l 1 } R = { g 0 l 0 → g 0 , g 1 l 1 → g 0 , g 1 l 1 → g 1 l 1 l 0 } g 0 l 0 l ∗ S 0 = D = 1 l 0 + g 1 l 1 g 0 ( l 0 + l 2 0 ) l ∗ = S 0 ∪ pre ( S 0 ) = 1 l 0 + S 1 g 1 l 1 ( ǫ + l 0 ) l ∗ 1 ( ǫ + l 0 ) · · · g 0 ( l 0 + . . . + l i +1 ) l ∗ S i = S i − 1 ∪ pre ( S i − 1 ) = 1 l 0 + 0 g 1 l 1 ( ǫ + l 0 + . . . + l i 0 ) l ∗ 1 ( ǫ + l 0 ) · · · 28

Termination fails G = { g 0 , g 1 } , L = { l 0 , l 1 } R = { g 0 l 0 → g 0 , g 1 l 1 → g 0 , g 1 l 1 → g 1 l 1 l 0 } g 0 l 0 l ∗ S 0 = D = 1 l 0 + g 1 l 1 g 0 ( l 0 + l 2 0 ) l ∗ = S 0 ∪ pre ( S 0 ) = 1 l 0 + S 1 g 1 l 1 ( ǫ + l 0 ) l ∗ 1 ( ǫ + l 0 ) · · · g 0 ( l 0 + . . . + l i +1 ) l ∗ S i = S i − 1 ∪ pre ( S i − 1 ) = 1 l 0 + 0 g 1 l 1 ( ǫ + l 0 + . . . + l i 0 ) l ∗ 1 ( ǫ + l 0 ) · · · 29

Termination fails G = { g 0 , g 1 } , L = { l 0 , l 1 } R = { g 0 l 0 → g 0 , g 1 l 1 → g 0 , g 1 l 1 → g 1 l 1 l 0 } g 0 l 0 l ∗ S 0 = D = 1 l 0 + g 1 l 1 g 0 ( l 0 + l 2 0 ) l ∗ = S 0 ∪ pre ( S 0 ) = 1 l 0 + S 1 g 1 l 1 ( ǫ + l 0 ) l ∗ 1 ( ǫ + l 0 ) · · · g 0 ( l 0 + . . . + l i +1 ) l ∗ S i = S i − 1 ∪ pre ( S i − 1 ) = 1 l 0 + 0 g 1 l 1 ( ǫ + l 0 + . . . + l i 0 ) l ∗ 1 ( ǫ + l 0 ) · · · 30

Termination fails G = { g 0 , g 1 } , L = { l 0 , l 1 } R = { g 0 l 0 → g 0 , g 1 l 1 → g 0 , g 1 l 1 → g 1 l 1 l 0 } g 0 l 0 l ∗ S 0 = D = 1 l 0 + g 1 l 1 g 0 ( l 0 + l 2 0 ) l ∗ = S 0 ∪ pre ( S 0 ) = 1 l 0 + S 1 g 1 l 1 ( ǫ + l 0 ) l ∗ 1 ( ǫ + l 0 ) · · · g 0 ( l 0 + . . . + l i +1 ) l ∗ S i = S i − 1 ∪ pre ( S i − 1 ) = 1 l 0 + 0 g 1 l 1 ( ǫ + l 0 + . . . + l i 0 ) l ∗ 1 ( ǫ + l 0 ) · · · 31

However, the fixpoint g 0 l + pre ∗ ( D ) 0 l ∗ = 1 l 0 + g 1 l 1 l ∗ 0 l ∗ 1 ( ǫ + l 0 ) is regular. How can we compute it? 32

Accelerations By definition, pre ( D ) = � i ≥ 0 S i where S 0 = D and S i +1 = S i ∪ pre ( S i ) for every i ≥ 0 If convergence fails, try to compute an acceleration : a sequence T 0 ⊆ T 1 ⊆ T 2 . . . such that ∀ i ≥ 0: S i ⊆ T i (a) (b) ∀ i ≥ 0: T i ⊆ � j ≥ 0 S j = pre ( D ) Property (a) ensures capture of (at least) the whole set pre ( D ) Property (b) ensures that only elements of pre ( D ) are captured The acceleration guarantees termination if (c) ∃ i ≥ 0: T i +1 = T i 33

An acceleration for prefix rewriting Idea: reuse the same states R = { g 0 l 0 → g 0 , g 1 l 1 → g 0 , g 1 l 1 → g 1 l 1 l 0 } true / x, y := x +? , y +? true / x, y := x +? , y +? y = 1 / id x < 1 / id y = 1 / id x < 1 / id +? true / x, y := x +? , y +? x < 1 / id x < 1 / id x > 1 / id true / y := 0 true / y := 0 y < 1 / y := 0 y < 1 / y := 0 true / x, y := x +? , y +? true / x, y := x +? , y +? true / x, y := x +? , y +? true / x, y := 34

An acceleration for prefix rewriting Idea: reuse the same states R = { g 0 l 0 → g 0 , g 1 l 1 → g 0 , g 1 l 1 → g 1 l 1 l 0 } l 1 l 1 l 0 l 0 g 0 g 0 l 0 l 0 l 1 l 1 g 1 g 1 35

An acceleration for prefix rewriting Idea: reuse the same states R = { g 0 l 0 → g 0 , g 1 l 1 → g 0 , g 1 l 1 → g 1 l 1 l 0 } l 1 l 1 l 0 l 0 g 0 g 0 g ′ l 0 l 0 0 l 1 l 1 g 1 g 1 g ′ 1 36

An acceleration for prefix rewriting Idea: reuse the same states R = { g 0 l 0 → g 0 , g 1 l 1 → g 0 , g 1 l 1 → g 1 l 1 l 0 } l 1 l 1 l 0 l 0 g 0 g 0 g ′ l 0 l 0 0 l 1 l 1 g 1 g 1 g ′ 1 37

An acceleration for prefix rewriting Idea: reuse the same states R = { g 0 l 0 → g 0 , g 1 l 1 → g 0 , g 1 l 1 → g 1 l 1 l 0 } l 1 l 1 l 0 l 0 l 0 g 0 g 0 g ′ l 0 l 0 0 l 1 l 1 g 1 g 1 g ′ 1 38

An acceleration for prefix rewriting Idea: reuse the same states R = { g 0 l 0 → g 0 , g 1 l 1 → g 0 , g 1 l 1 → g 1 l 1 l 0 } l 1 l 0 l 1 l 0 l 0 l 0 g 0 g 0 g ′ l 0 l 0 0 l 1 l 1 g 1 g 1 g ′ 1 39

An acceleration for prefix rewriting Idea: reuse the same states R = { g 0 l 0 → g 0 , g 1 l 1 → g 0 , g 1 l 1 → g 1 l 1 l 0 } l 1 l 0 l 1 l 0 l 0 l 0 g 0 g 0 g ′ l 0 l 0 0 l 1 l 1 g 1 g 1 g ′ 1 40

An acceleration for prefix rewriting Idea: reuse the same states R = { g 0 l 0 → g 0 , g 1 l 1 → g 0 , g 1 l 1 → g 1 l 1 l 0 } l 1 l 0 l 1 l 0 l 0 l 0 g 0 g 0 g ′ l 0 l 0 0 l 1 l 1 l 1 g 1 g 1 g ′ 1 41