The Analysis of Infinite-State Systems Bernard Boigelot Universit - - PowerPoint PPT Presentation

SLIDE 1

The Analysis of Infinite-State Systems

Bernard Boigelot Universit´ e de Li` ege http://www.montefiore.ulg.ac.be/˜boigelot/

1

SLIDE 2

• 1. Introduction

2

SLIDE 3

Infinite-State Systems A model can have an infinite number of configurations because of

• Unbounded data.

Example: Bakery algorithm:

repeat forever: x1 := x2 + 1; await x2 = 0 or x1 ≤ x2; critical; x1 := 0; || repeat forever: x2 := x1 + 1; await x1 = 0 or x2 < x1; critical; x2 := 0;

• Dense data.

Example: Leaking gas burner (hybrid system).

˙ x = 1 ˙ y = 1 ˙ z = 1 x ≤ 1 x ≤ 1 − → x := 0 x ≥ 30 − → x := 0 ∧ z = 0 x = 0 ∧ y = 0 L ¬L ˙ x = 1 ˙ y = 1 ˙ z = 0

3

SLIDE 4

• Unbounded control:

– Parallel composition of an arbitrary number of identical processes.

|| || || || || · · · ||

• N

– Dynamic instantiation of processes. – Recursive procedure calls. Example:

visit(node n): . . . if not(leaf(n)) then

{

visit(n.left); visit(n.right);

}

4

SLIDE 5

Analyzing Infinite-State Systems: Motivation There are many good reasons to write infinite-state models:

• They are natural abstractions of very large finite systems.

Example: Concurrent machines communicating through unbounded FIFO channels.

• They are good models of parameterized systems.
• Timed systems can be modeled without discretizing time.

5

SLIDE 6

Modeling Infinite-State Systems In this course, we consider systems modeled by extended automata:

• The control is finite, and is represented by a finite graph.
• The number of processes is fixed.
• The data is modeled by a finite number of variables over unbounded

domains.

• The edges of the control graph are labeled by data operations.

6

SLIDE 7

Example: Bakery algorithm.

2 1 2 1 x1 = x2 = 0 x1 := x2 + 1 x1 := 0 x1 ≤ x2 x2 == 0 x1 == 0 x2 := x1 + 1 x2 := 0 x2 < x1

7

SLIDE 8

Dealing with Infinite Control In some cases, unbounded control can be transformed into unbounded data by

• using a counter abstraction.

= ⇒

    

l1 = 2 l2 = 2 l3 = 1

• representing the control structure (e.g., the recursion stack) with the

help of additional variables.

8

SLIDE 9

Analyzing Extended Automata Our goal is to check reachability properties:

• Deciding whether a given set of configurations is reachable or not.
• Computing a manageable representation of the set of all reachable

configurations. Motivations:

• Most interesting properties of real-life systems are reachability

properties.

• If we cannot decide reachability, then there is probably not much we

can do. Remark: For most classes of extended automata, reachability is undecidable! Our solutions will take the form of semi-algorithms.

9

SLIDE 10

Analyzing Extended Automata: Main Issues

• The infinite sets that must be manipulated have to be represented by

finite data structures. The chosen representation system must be – concise and efficient; – closed over some essential operations.

• We need mechanisms for computing in finite time infinite sets of

reachable configurations. These must be powerful enough to capture the “source of infiniteness” in the model under analysis.

10

SLIDE 11

• 2. Symbolic State-Space

Exploration

11

SLIDE 12

State-Space Exploration Principles:

• Start from the set of initial configurations;
• Compute repeatedly new reachable configurations.

Algorithm: S := S0; T := S; while S = ∅ : S := θ(S) \ T; T := T ∪ S.

...

S0 S3 S2 S1

Problem: Exploration does not terminate if the reachability depth of all the configurations is unbounded. Solution: Meta-transitions.

12

SLIDE 13

Meta-Transitions Principles:

• Meta-transitions are generalized transitions aimed at propagating

reachability.

• A meta-transition can potentially generate an infinite set of

configurations from a finite one.

(c, v) (c′, m1) (c′, m2) (c′, m3) . . .

m 13

SLIDE 14

Accelerated State-Space Exploration Idea : Adding meta-transitions to the transition relation of the model can speed up state-space exploration (and even make it terminate). Example :

[1] [2] [3] [4] x := 0 even?(x) x := x + 2 x > 1000000

The effect of the loop [2] − → [3] − → [2] can be computed in one step.

14

SLIDE 15

State-space exploration :

{([1], ⊥)} {([2], 2k + 2) | k ∈ N} {([4], 2k + 1000002) | k ∈ N} {([3], 2k + 2) | k ∈ N} {([2], 0)} {([3], 2)} {([2], 2)} x := x + 2 x := 0 even?(x) x := x + 2 even?(x) x > 1000000 m {([2], 2k) | k ∈ N}

− → T = {([1], ⊥), ([2], 2k), ([3], 2k + 2), ([4], 2k + 1000002) | k ∈ N }

15

SLIDE 16

Symbolic Representation of Data Sets In order to be able to implement symbolic state-space exploration, one needs a representation system for sets of data values. Requirements:

• Closed under ∪, ∩ (if possible), \, ×, data operations.
• Emptiness and set inclusion should be decidable.
• Whether a given data transformation can be turned into a

meta-transition should be decidable.

16

SLIDE 17

Automata-Based Representations Principles:

• Data values are encoded as words over some finite alphabet.
• This encoding relation maps sets of values onto languages.
• If the language L encoding a set S is regular, then any finite-state

automaton that accepts L forms a representation of S. Advantages:

• Expressive enough for many applications.
• Large class of simple, efficient, and well-studied manipulation

algorithms.

• Deterministic automata admit a canonical form.

17

SLIDE 18

Example: Unbounded FIFO Channels Framework:

• The data domain is of the form Σ∗

1 × Σ∗ 2 × · · · × Σ∗ n, where

– n > 0 is the number of channels, – each Σi is the finite message alphabet of the i-th channel qi; – the Σi are assumed to be distinct.

• The data operations are limited to

– send operations qi!a, and – receive operations qi?a for each i ≤ n and a ∈ Σi.

qi?a qi qi!a a a · · ·

18

SLIDE 19

Encoding Channel Contents Principles:

• The sequential encoding ES maps every channel-set content

(w1, . . . , wn) onto the concatenation w1 · w2 · · · wn of the individual channel contents. The set of valid encodings is thus V = Σ∗

1 · Σ∗ 2 · · · Σ∗ n.

• A Queue Decision Diagram (QDD) representing a set

U ⊆ Σ∗

1 × Σ∗ 2 × · · · × Σ∗ n is a finite-state automaton accepting the

language ES(U). Property: The sets that are representable by QDDs are exactly those that can be expressed as a finite union of Cartesian products of regular languages over the message alphabets.

19

SLIDE 20

QDDs: Data Operations Send:

a+b: a a b a a b b (q!b)[a+b]:

Receive:

(q?a)[a+b]: a a b

20

SLIDE 21

Iterating Sequences of Data Operations In order to add meta-transitions to a channel system, one must be able to compute the effect of repeating a sequence of channel operations. To compute σ∗(A) from a sequence of operations σ and a QDD A, we proceed as follows:

• We unroll σ∗(A) =

k σk(A).

• Some periodicity will eventually occur within the σk(A).
• This periodicity can be captured by a finite structure.

21

SLIDE 22

Iterating a Sequence on a QDD

a∗b: a b a b a b (q!b; q?a)∗[a∗b]: b b b · · · b

Theorem: This operation can always be performed if there is no more than one channel in the system.

22

SLIDE 23

QDDs: Operations on Multiple Channels

• For single operations, one simply operates as before on the part of the

QDD corresponding to the relevant channel.

• The result of iterating a sequence of operations cannot always be

represented as a QDD. Example: (q1!a; q2!b)∗. The problem comes from the ability to count the number of iterations from the content of two or more channels.

• When at most one channel allows to count the number of iterations,
• ne can combine the result of handling separately the different

channels.

23

SLIDE 24

• 3. Unbounded Integer Variables

24

SLIDE 25

Framework

• The data domain is Zn;
• The data operations are of the form

P x ≤ q − →

• x := A

x + b, with P ∈ Zm×n, q ∈ Zm, A ∈ Zn×n, and b ∈ Zn. Example:

2 1 2 1 x1 = x2 = 0 x1 := x2 + 1 x1 := 0 x1 ≤ x2 x2 == 0 x1 == 0 x2 := x1 + 1 x2 := 0 x2 < x1

25

SLIDE 26

Number Decision Diagrams Principles:

• Integers are encoded in a base r > 1, most or least significant digit

first.

• Negative numbers are encoded by their r’s complement.
• The number of digits p in the encodings of z is not fixed, but must

satisfy −rp−1 ≤ z < rp−1. Examples: Enc2(12) = 0+1100 Enc2(−7) = 1+001.

26

SLIDE 27

• Vectors are encoded by reading repeatedly one digit for each

component, in a fixed order.

• The component digits can be combined in several ways.

Synchronous encoding: Enc2((−4, 6, 3)) = (1, 0, 0)+(1, 1, 0)(0, 1, 1)(0, 0, 1) Serial encoding: Enc2((−4, 6, 3)) = (100)+110011001.

• An NDD representing a set S ⊆ Zn is an automaton accepting all the

encodings of all the elements in S.

27

SLIDE 28

From Linear Constraints to NDDs An NDD representing the set { x ∈ Zn | a. x = b} can be constructed by

• associating to each state q an integer β(q) such that any path ending

in q reads a solution of a. x = β(q);

• starting the construction from a state qF such that β(qF) = b;
• applying a backward propagation rule:

q

• d

q′

β(q) = β(q′) − a. d r

28

SLIDE 29

Example: 2x − y = −4

11 01 10 00 10 01 11 00 10 00 11 00 10 q0 −4 −2 −3 −1 29

SLIDE 30

NDDs: Expressiveness Theorem: A set S ⊆ Zn is representable by an NDD in a base r > 1 iff it can be defined in the first-order theory Z, +, ≤, Vr, where Vr(z) is the greatest power of r that divides z. Theorem: A set S ⊆ Zn is representable by an NDD in any base r > 1 iff it can be defined in the first-order theory Z, +, ≤ (i.e., Presburger arithmetic). Automata-based representations of sets thus provide a simple algorithm for deciding Presburger arithmetic.

30

SLIDE 31

NDDs: Meta-transitions Applying a meta-transition m amounts to computing the image of a set by (P x ≤ q → x := A x + b)∗, The effect of the transformation θ ≡ x := A x + b can be a combination

• f :
• Projections:

θ∗(S) = S ∪ θ(S);

• Rotations:

θ∗(S) = S ∪ θ(S) ∪ θ2(S) ∪ · · · ∪ θp−1(S);

31

SLIDE 32

• Translations:

. . .

θ∗(S) = S + v∗ = { x + k v | x ∈ S ∧ k ∈ N}, where v is the translation vector.

• Scalings:

. . .

θ∗(S) = {λk x | x ∈ S ∧ k ∈ N}, where λ is the scaling factor.

32

SLIDE 33

Projections, rotations, and translations can always be applied to NDDs. Scalings are only allowed if the factor λ is a rational power of the representation base. Theorem: The iteration of a linear transformation x := A x + b preserves the representability of sets in a base r > 1 iff there exist m ∈ N and p ∈ N0 such that

• All the eigenvalues of Ap belong to {0, rm}, and
• Ap is diagonalizable.

Notes:

• There exists a decision algorithm based on simple integer arithmetic.
• The proof is constructive and translates into an algorithm for

computing the representation of θ∗(S) given S.

33

SLIDE 34

Example

• x1

x2

• :=
• x1 + x2

x1

• (1, 2) → (3, 1) → (4, 3) → (7, 4) → (11, 7) → (18, 11) → (29, 18) → · · ·

Not iterable.

• x1

x2

• :=
• x1 + x2

−x1

• (1, 2) → (3, −1) → (2, −3) → (−1, −2) → (−3, 1) → (−2, 3) → (1, 2) →

· · · Iterable!

34

SLIDE 35

Application: The Lift Controller The system is composed of

• a control panel that prompts the user for a floor number,
• a motor controller that moves the car in the appropriate direction.

The number of floors N can be

• specified in the model (the number of reachable configurations is then

O(N2)),

• made infinite (i.e., there is no top floor),
• turned into a parameter (the initial set of configurations then contains

all the values of N greater than 1).

35

SLIDE 36

Lift Controller: Simple-PROMELA Model

int c = 1, g = 1, a = 0, N = 10; process motor { do :: go_up: atomic { a == 1 -> up: a = 0; c = c + 1 } :: go_down: atomic { a == 2 -> down: a = 0; c = c - 1 }

• d

} process control { do :: too_low: atomic { c < g -> a = 1 } ; raise: a == 0 :: too_high: atomic { c > g -> a = 2 } ; lower: a == 0 :: atomic { c == g -> do :: low: g < N -> incr: g = g + 1 :: high: g > 1 -> decr: g = g - 1 :: break

• d }

:: assert c >= 1 :: assert c <= N

• d;

meta (low), incr, low; meta (high), decr, high } meta (control.too_low, motor.go_up), control.raise, motor.up, motor.go_up, control.too_low; meta (control.too_high, motor.go_down), control.lower, motor.down, motor.go_down, control.too_high; 36

SLIDE 37

Lift Controller: Runtime Statistics

N Rel. Reach. ttot (s)

• Mem. (b)

2 1751 123 8.51 344124 3 1751 175 9.25 397672 4 1751 337 14.17 730296 5 1751 349 13.28 707100 6 1751 402 17.53 888602 7 1751 355 14.36 746420 8 1751 601 23.69 1231180 9 1751 609 20.75 1138864 10 1751 664 26.82 1323048 100 1751 1306 69.78 2579876 1000 1751 1913 140.02 3701240 10000 1751 2684 220.02 5072576 100000 1751 3329 325.06 6283068 1000000 1751 3938 462.04 7399076 ∞ 849 181 9.91 578332 any 2295 231 57.83 2403828

37

SLIDE 38

Lift Controller: Sample LASH run (N = 1000000000)

Compilation statistics: number of gates : 0. number of processes : 3. number of variables : 4. total number of control locations : 11. number of synchronized transitions : 0. number of meta-transitions : 4. Translating the transition relation... with transitions : 1647 NDD state(s). with synchronised transitions : 1647 NDD state(s). with transitions & meta-transitions : 4017 NDD state(s). Translating the set of initial states... initial set : 218 NDD state(s). Starting state-space exploration...

• interm. result : 638 NDD state(s), 3 states.
• interm. result : 1044 NDD state(s), 1000000003 states.
• interm. result : 1461 NDD state(s), 3999999999 states.
• interm. result : 2709 NDD state(s), 500000005499999997 states.
• interm. result : 4596 NDD state(s), 1500000006499999995 states.
• interm. result : 6409 NDD state(s), 3500000004499999994 states.
• interm. result : 7020 NDD state(s), 6499999997499999999 states.
• interm. result : 7808 NDD state(s), 7999999995000000000 states.
• interm. result : 8655 NDD state(s), 8999999994000000000 states.
• interm. result : 8658 NDD state(s), 9499999993500000000 states.
• interm. result : 8663 NDD state(s), 9999999993000000000 states.

Fixpoint reached in 11 step(s). *** Program validated. Runtime statistics: residual memory : 0 byte(s). max memory : 4344928 byte(s). 38

SLIDE 39

• 4. Real Variables

39

SLIDE 40

Framework We consider linear hybrid automata:

• The data domain is Rn.
• At each location v, the evolution law is characterized by

– a rectangular activity R(v) : l ≤ ˙

• x ≤

u. – an invariant I(v) : P x ≤ q.

• The transformation associated to a control transition e, is defined by

– a guard G(e) : P ′ x ≤ q ′. – an assignment A(e) : x := A′ x + b.

40

SLIDE 41

Linear Hybrid Automata: Semantics A configuration (v′, x′) can be reached from a configuration (v, x) by

• a discrete step:

∃e : e = (v, v′), x ∈ G(e), ( x, x′) ∈ A(e), and x′ ∈ I(v′).

• a time step:

v = v′, ∃t ≥ 0 : x + t l ≤ x′ ≤ x + t u, and x′ ∈ I(v), where ( l, u) = R(v).

41

SLIDE 42

Linear Hybrid Automata: Example “Leaking Gas Burner” model:

˙ x = 1 ˙ y = 1 ˙ z = 1 x ≤ 1 x ≤ 1 − → x := 0 x ≥ 30 − → x := 0 ∧ z = 0 x = 0 ∧ y = 0 L ¬L ˙ x = 1 ˙ y = 1 ˙ z = 0

42

SLIDE 43

Problem: The symbolic representation system for data values must be expressive enough for some “interesting” linear hybrid automata. Examples:

• “Simple protocol” :

1 x y 1 2 3 4

• Leaking Gas Burner:

20 40 60 80 100 120 y 1 2 3 4 z

43

SLIDE 44

Real Vector Automata

• Real numbers are encoded as infinite words over r digits 0, 1, . . . , r − 1,

and a separator ⋆. Example: Enc2(3.5) = 0+11 ⋆ 1(0)ω ∪ 0+11 ⋆ 0(1)ω.

• Vectors of reals are encoded as infinite words over either

{0, 1, . . . , r − 1}n ∪ {⋆}, or {0, 1, . . . , r − 1, ⋆}.

• A Real Vector Automaton (RVA) representing a set S ⊆ Rn is a B¨

uchi automaton accepting all the base-r encodings of all the vectors in S.

44

SLIDE 45

Real Vector Automata: Properties

• The expressiveness of RVA corresponds to the first-order theory

R, Z, +, ≤, Xr, where Xr is a base-dependent predicate.

• The sets that are definable in R, Z, +, ≤ can be represented by weak

deterministic RVA. Manipulation algorithms (∩, ∪, ×, ⊆?, ∃, . . . ) are then simple and efficient. Example:

1 1

x2 x1

45

SLIDE 46

.

6 (1,0) 10 (0,1) 13 (0,0) 1 (1,1) 7

*

(1,0) (0,1) (0,0) (1,1) 11

*

(1,0) (0,1) (0,0) (1,1) 14

*

(1,0) (0,1) (0,0) (1,1) (1,0) (0,1) (0,0) (1,1) 2

*

3 (1,1) 4 (1,0) 5 (0,0) (1,1) (1,0) (0,0) 8 (1,0) (1,1) 9 (0,1) (1,0) (1,1) (0,1) (0,1) 12 (0,0) (1,0) (0,0) (1,0) (1,0) (0,0) (1,1) 15 (0,1) (0,0) (0,1) (1,0) (1,1)

.

46

SLIDE 47

Linear Hybrid Transformations Goal: Characterize the transformations θ that label the paths of linear hybrid automata. Starting point: Time step at a location v, followed by a transition step from v to v′ along e. θ(S) = { x′ ∈ Rn | (∃ x ∈ S)(∃ x′′ ∈ Rn)(∃t ∈ R≥0)( x + t l ≤ x′′ ≤ x + t u ∧ x′′ ∈ I(v) ∧ x′′ ∈ G(e) ∧ ( x′′, x′) ∈ A(e) ∧ x′ ∈ I(v′))}, where ( l, u) ∈ R(v). Note that I(v), G(e), A(e) and I(v′) are systems of linear equalities and inequalities. One can thus eliminate the quantifiers over x′′ and t.

47

SLIDE 48

Definition: A Linear Hybrid Transformation (LHT) (P, q) is a transformation of the form θ : 2Rn → 2Rn : S →

• x′ ∈ Rn | (∃

x ∈ S)

• P
• x
• x′
• ≤

q

• ,

with n > 0, P ∈ Zm×2n, q ∈ Zm and m ≥ 0. Property: LHT are closed under composition. They can therefore describe the transformations labeling arbitrary control paths of linear hybrid automata.

48

SLIDE 49

Iterating Linear Hybrid Transformations Goal: Develop a sufficient condition for checking whether a LHT θ is such that θ∗(S) is definable in R, Z, +, ≤ for all S definable in that theory. First restriction: The k-th image θk( x0) of a vector x0 should be definable in R, Z, +, ≤ as a function of x0 and k. It is known that the subsets of R that are definable in R, Z, +, ≤ are ultimately periodic. Second restriction: For every x0 ∈ Rn, the sequence of polyhedra { x0}, θ({ x0}), θ2({ x0}), . . . must satisfy some periodicity requirements.

49

SLIDE 50

Periodic Transformations Consider the LHT θ:

• P ′ | P ′′
• P
• x
• x′
• ≤

q

• A transformation

x → x′ : p ′′. x′ = q − p ′. x is periodic iff for every d ∈ R, the image of the plane { x′ ∈ Rn | p ′′. x′ = d} is the plane { x′ ∈ Rn | p ′′. x′ = d + δ}, where δ is independent from d.

• A transformation

x → x′ : p ′′. x′ ≤ q − p ′. x is periodic iff the transformation x → x′ : p ′′. x′ = q − p ′. x is periodic.

• A LHT (P,

q) is periodic iff each row p ′′. x′ ≤ q − p ′. x of its linear system induces a periodic transformation.

50

SLIDE 51

Illustration: θ({ x0}) θ2({ x0}) θ3({ x0}) θ4({ x0})

• x0

51

SLIDE 52

A Periodicity Criterion Theorem: Let θ be the transformation x → x′ : p ′′. x′ = q − p ′.

• x. This

transformation is periodic iff either p ′ = 0, p ′′ = 0, or p ′ = − p ′′. Proof sketch: Assume p ′′ =

• 0. The image by θ of a plane

{ x′ ∈ Rn | p ′′. x′ = d} is a (n − 1)-plane iff p ′ and p ′′ are colinear, i.e.,

• p ′ = λ

p ′′. Rewriting into the periodicity condition, one gets λ ∈ {0, −1}. Criterion: A LHT (P, q) is periodic iff its underlying linear system is only composed of constraints of the form p. x ≤ q, p. x′ ≤ q, and p.( x′ − x) ≤ q.

52

SLIDE 53

Image Computation Problem: Given a periodic LHT θ : (P, q), and a set S ⊆ Rn definable in R, Z, +, ≤, compute θk(S) for arbitrary k > 0. Let first consider transformations in which all the constraints are of the form p.( x′ − x) ≤ q. Theorem: Let θ1 be the LHT characterized by the linear system P1( x′ − x) ≤

• q1. The LHT induced by the system P1(

x′ − x) ≤ k q1, with k > 0, is equal to θk

1.

Proof sketch: For any k > 0 and x ∈ Rn, we have θk

1(

x) = { x + δ1 + δ2 + · · · + δk | (∀i ∈ [1, . . . , k])(P1 δi ≤ q1)}.

53

SLIDE 54

By convexity, if δ1, δ2, . . . , δk belong to the polyhedron P1 δi ≤ q1, so does

• δ = (

δ1 + δ2 + · · · + δk)/k. Each δi can thus be chosen equal to δ. We hence have θk

1(

x) = { x + δ | P1 δ ≤ k q1}.

θ({ x0}) θ2({ x0}) θ3({ x0}) θ4({ x0})

• x0

54

SLIDE 55

Generalizing to LHT with additional constraints C of the form p. x ≤ q and

• p.

x′ ≤ q is easy: Since these constraints are convex, and the trajectory x1, x2, . . . , xk of a vector x0 can always be constrained to follow a straight line, it is sufficient that x1 and xk satisfy C. Theorem: For every S ⊆ Rn and k ≥ 2, θk(S) = θ(θk−2

1

(θ(S) ∩ C) ∩ C). Note that this expression is defined in R, Z, +, ≤.

55

SLIDE 56

Reduction Step Problem: There exist non-periodic LHT θ such that for any x ∈ Rn, the sequence θ( x), θ2( x), θ3( x), . . . is ultimately periodic. Main reason: The range θ(Rn) may have a dimension smaller than n. In such a case, it it sufficient to study the transformation θ in a restricted subspace.

✁✁ ✁✁ ✁✁ ✁✁ ✂✁✂✁✂ ✂✁✂✁✂ ✂✁✂✁✂ ✂✁✂✁✂ ✄✁✄✁✄ ✄✁✄✁✄ ✄✁✄✁✄ ✄✁✄✁✄ ☎✁☎✁☎ ☎✁☎✁☎ ☎✁☎✁☎ ☎✁☎✁☎ ✆✁✆✁✆ ✆✁✆✁✆ ✆✁✆✁✆ ✆✁✆✁✆ ✝✁✝✁✝ ✝✁✝✁✝ ✝✁✝✁✝ ✝✁✝✁✝ ✞✁✞✁✞✁✞ ✞✁✞✁✞✁✞ ✞✁✞✁✞✁✞ ✞✁✞✁✞✁✞ ✞✁✞✁✞✁✞ ✞✁✞✁✞✁✞ ✞✁✞✁✞✁✞ ✞✁✞✁✞✁✞ ✞✁✞✁✞✁✞ ✟✁✟✁✟✁✟ ✟✁✟✁✟✁✟ ✟✁✟✁✟✁✟ ✟✁✟✁✟✁✟ ✟✁✟✁✟✁✟ ✟✁✟✁✟✁✟ ✟✁✟✁✟✁✟ ✟✁✟✁✟✁✟ ✟✁✟✁✟✁✟ ✠✁✠✁✠ ✠✁✠✁✠ ✠✁✠✁✠ ✠✁✠✁✠ ✡✁✡✁✡ ✡✁✡✁✡ ✡✁✡✁✡ ✡✁✡✁✡

θ θ θ θ Rn

This reduction can be performed by a simple variable change operation.

56

SLIDE 57

• 5. Generic Acceleration

57

SLIDE 58

Principles

• The transition relation is modeled by a finite-state transducer T;
• Let T0 = T ∪ Id. The goal is to compute the limit of the sequence

T0(A0), (T0)2(A0), (T0)3(A0), . . . , where A0 represents the set of initial configurations. Approach:

• One attempts to detect similarities between automata in the sequence.
• If these automata always differ by a constant increment, their infinite

union can be captured by a finite-state structure.

• The safety and preciseness of the results can then be checked.

58

SLIDE 59

Key ideas

• Sampling: Only consider selected powers of the transducer to be

iterated.

• Normalization: Work with reduced deterministic (w.r.t. input/output

pairs) automata.

• Increment detection and extrapolation: Proceed by comparing

successive transducers in a sequence of iterated transducers; identifying the difference between these in the form of an “increment”, and extrapolating the repetition of this increment.

• Preciseness check: Check algorithmically whether the extrapolated

transducer is “exact”.

59

SLIDE 60

Arithmetic transducers: Example Transducer for (x, x + 1) ∪ (x, x):

1 1,1 0,0 2 1,0 0,0 1,1 0,1 1,0

60

SLIDE 61

Increments: Example T 2:

3 1 1,0 2 0,0 1,1 0,0 1,1 1,0 0,1 0,0 1,1

T 8:

4 3 1,0 5 0,0 1,1 1 0,0 1,0 1,1 2 0,1 0,0 1,1 6 1,0 0,0 0,1 1,0 1,1 1,1 0,0 0,1 1,0 0,1 0,0 1,1

T 4:

4 2 1,0 3 0,0 1,1 1 0,0 1,0 1,1 0,1 0,0 1,1 1,0 0,1 0,0 1,1

T 16:

5 4 1,0 6 0,0 1,1 1 0,0 1,0 1,1 2 0,1 0,0 1,1 7 1,0 0,0 0,1 1,0 1,1 3 1,1 0,0 0,1 8 1,0 0,0 0,1 1,0 1,1 0,0 1,1 0,1 1,0 0,1 0,0 1,1

61

SLIDE 62

Sampling

• It is often possible to extract an infinite sub-sequence T s1, T s2, T s3, . . .
• f powers of T in which an increment can be detected.
• However,

i≥0T si is not necessarily equal to i≥0T i.

• The problem is solved by working with the reflexive closure T0 of T,

since

i≥0T i = i≥0T si 0 .

62

SLIDE 63

Detecting increments (1) Common parts between T si

0 and T si+1

can be identified by

• a forwards equivalence relation Esi

f between states, based on equality

• f accepted languages, and
• a backwards equivalence relation Esi

b , based on isomorphism from the

initial state.

T si

0 :

T si+1 :

Q

si+1 H

Q

si+1 I0

Esi

b

Esi

f

Q

si+1 T

Qsi

b

Qsi

f

63

SLIDE 64

Detecting increments (2) In a sequence T si

0 , T si+1

, T si+2 , . . . , repeated increments can be detected by following forwards and backwards equivalences.

T si

0 :

Q

si b

T

si+3

:

Q

si+3 H

Q

si+3 I0

T

si+2

:

Q

si+2 H

Q

si+2 I0

T

si+1

:

Q

si+1 H

Q

si+1 I0

E

si+2 b

E

si+1 b

E

si f

Q

si+1 Tf

E

si b

E

si+1 b

E

si+2 f

Q

si+3 I2

E

si+2 f

E

si+1 f

Q

si+2 Tf

E

si+1 f

Q

si+2 I1

E

si+2 f

Q

si+3 Tf

E

si+2 b

Q

si+2 T

Q

si+3 T

Q

si f

Q

si+3 I1

Q

si+1 T

64

SLIDE 65

Detecting increments (3) In order to capture the increment structure, one needs to compare the transitions between the increments. Two increments Qsi+k

Iα

and Qsi+k

Iβ

are communication equivalent iff, for each matched pair (q, q′) ∈ Qsi+k

Iα

× Qsi+k

Iβ

, and a ∈ Σ × Σ, either

• δ(q, a) ∈ Qsi+k

Iα

and δ(q′, a) ∈ Qsi+k

Iβ

, hence leading to corresponding states by the existing isomorphism,

• δ(q, a) and δ(q′, a) are both undefined,
• δ(q, a) and δ(q′, a) both lead to the same state of the tail end Qsi+k

Tf

, or

• there exists some γ such that δ(q, a) and δ(q′, a) lead to corresponding

states of respectively Qsi+k

Iα+γ and Qsi+k Iβ+γ.

65

SLIDE 66

Extrapolating increments The extrapolation is carried on by adding transitions to the head increment QI0 according to the following rule: For each state q ∈ QI0 and a ∈ Σ × Σ,

• If δ(q, a) leads to a state q′ in an increment QIj, 1 ≤ j ≤ k − 1, then
• add transitions from q and labeled by a to the state corresponding to

q′ (by the increment isomorphism) in each of the increments QIℓ with 0 ≤ ℓ < j.

QH QI0 QI1 QI2 QI3 a a a a . . .

66

SLIDE 67

Is it a good approximation? After having constructed the extrapolation Te∗, it remains to check whether this transducer corresponds to

i≥0T i or not. This is done by

checking that the extrapolation is safe and precise.

• An extrapolation is safe if it captures all behaviors of

i≥0T i.

• An extrapolation is precise if it captures no more behavior than

i≥0T i.

• Checking safety of Te∗ is quite easy. It suffices to test that

L(Te∗)◦L(Te∗)⊆L(Te∗).

• Checking preciseness is more difficult. There exists a sufficient

criterion for doing this.

67

SLIDE 68

Experiments Relation |T0| |T ∗

0|

Max |T i

0|

(x, x + 1) 3 3 11 (x, x + 7) 7 9 91 (x, x + 73) 14 75 933 (((x, y), (x + 2, y − 1)) ∪ ((x, y), (x − 1, y + 2))) ∩ N2 × N2 19 70 1833 ((x, y), (x + 2, y − 1)) ∪ ((x, y), (x − 1, y + 2)) ∪ ((x, y), (x + 1, y + 1))) ∩ N2 × N2 21 31 635 ((w, x, y, z), (w + 1, x + 2, y + 3, z + 4)) 91 251 2680

68

SLIDE 69

• 6. Conclusions

69

SLIDE 70

• Infinite-state systems are often more precise abstractions than

finite-state models with unrealistic restrictions.

• Not having a termination guarantee is not really a problem.
• The central issue is acceleration:

– Specific techniques are powerful, but restricted to limited frameworks. – Generic methods are promising, but still costly.

• We have focused on exact reachability analysis, but the approach can

be combined with abstractions, or approximation generators (e.g., widening).

70