The Analysis of Infinite-State Systems Bernard Boigelot Universit - PowerPoint PPT Presentation

The Analysis of Infinite-State Systems Bernard Boigelot Universit´ e de Li` ege http://www.montefiore.ulg.ac.be/ ˜ boigelot/ 1

1. Introduction 2

Infinite-State Systems A model can have an infinite number of configurations because of • Unbounded data. Example: Bakery algorithm: repeat forever: repeat forever: x 1 := x 2 + 1; x 2 := x 1 + 1; await x 2 = 0 or x 1 ≤ x 2 ; || await x 1 = 0 or x 2 < x 1 ; critical ; critical ; x 1 := 0; x 2 := 0; • Dense data. Example: Leaking gas burner (hybrid system). x ≤ 1 − → x := 0 x = 0 ∧ y = 0 x = 1 ˙ ∧ z = 0 x = 1 ˙ y = 1 ˙ L ¬ L y = 1 ˙ z = 1 ˙ z = 0 ˙ x ≤ 1 x ≥ 30 − → x := 0 3

• Unbounded control: – Parallel composition of an arbitrary number of identical processes. || || || || || · · · || � �� � N – Dynamic instantiation of processes. – Recursive procedure calls. Example: visit(node n): . . . if not(leaf(n)) then { visit(n.left); visit(n.right); } 4

Analyzing Infinite-State Systems: Motivation There are many good reasons to write infinite-state models: • They are natural abstractions of very large finite systems. Example: Concurrent machines communicating through unbounded FIFO channels. • They are good models of parameterized systems. • Timed systems can be modeled without discretizing time. 5

Modeling Infinite-State Systems In this course, we consider systems modeled by extended automata: • The control is finite, and is represented by a finite graph. • The number of processes is fixed. • The data is modeled by a finite number of variables over unbounded domains. • The edges of the control graph are labeled by data operations. 6

Example: Bakery algorithm. x 1 = x 2 = 0 0 0 x 1 := x 2 + 1 x 2 := x 1 + 1 x 1 := 0 x 2 := 0 1 1 x 1 ≤ x 2 x 2 < x 1 x 2 == 0 x 1 == 0 2 2 7

Dealing with Infinite Control In some cases, unbounded control can be transformed into unbounded data by • using a counter abstraction.  = 2 l 1   = ⇒ = 2 l 2  l 3 = 1  • representing the control structure (e.g., the recursion stack) with the help of additional variables. 8

Analyzing Extended Automata Our goal is to check reachability properties: • Deciding whether a given set of configurations is reachable or not. • Computing a manageable representation of the set of all reachable configurations. Motivations: • Most interesting properties of real-life systems are reachability properties. • If we cannot decide reachability, then there is probably not much we can do. Remark: For most classes of extended automata, reachability is undecidable! Our solutions will take the form of semi-algorithms. 9

Analyzing Extended Automata: Main Issues • The infinite sets that must be manipulated have to be represented by finite data structures. The chosen representation system must be – concise and efficient; – closed over some essential operations. • We need mechanisms for computing in finite time infinite sets of reachable configurations. These must be powerful enough to capture the “source of infiniteness” in the model under analysis. 10

2. Symbolic State-Space Exploration 11

State-Space Exploration Principles: • Start from the set of initial configurations; • Compute repeatedly new reachable configurations. Algorithm: S := S 0 ; ... S 0 S 1 S 2 S 3 T := S ; while S � = ∅ : S := θ ( S ) \ T ; T := T ∪ S . Problem: Exploration does not terminate if the reachability depth of all the configurations is unbounded. Solution: Meta-transitions. 12

Meta-Transitions Principles: • Meta-transitions are generalized transitions aimed at propagating reachability. • A meta-transition can potentially generate an infinite set of configurations from a finite one. m ( c ′ , m 1 ) ( c, v ) ( c ′ , m 2 ) ( c ′ , m 3 ) . . . 13

Accelerated State-Space Exploration Idea : Adding meta-transitions to the transition relation of the model can speed up state-space exploration (and even make it terminate). Example : even ?( x ) x := 0 x > 1000000 [2] [3] [4] [1] x := x + 2 The effect of the loop [2] − → [3] − → [2] can be computed in one step. 14

State-space exploration : { ([1] , ⊥ ) } x := 0 { ([2] , 0) } m x := x + 2 { ([2] , 2 k ) | k ∈ N } { ([3] , 2) } even ?( x ) x := x + 2 { ([3] , 2 k + 2) | k ∈ N } { ([2] , 2) } even ?( x ) x > 1000000 { ([2] , 2 k + 2) | k ∈ N } { ([4] , 2 k + 1000002) | k ∈ N } − → T = { ([1] , ⊥ ) , ([2] , 2 k ) , ([3] , 2 k + 2) , ([4] , 2 k + 1000002) | k ∈ N } 15

Symbolic Representation of Data Sets In order to be able to implement symbolic state-space exploration, one needs a representation system for sets of data values. Requirements: • Closed under ∪ , ∩ (if possible), \ , × , data operations. • Emptiness and set inclusion should be decidable. • Whether a given data transformation can be turned into a meta-transition should be decidable. 16

Automata-Based Representations Principles: • Data values are encoded as words over some finite alphabet. • This encoding relation maps sets of values onto languages. • If the language L encoding a set S is regular, then any finite-state automaton that accepts L forms a representation of S . Advantages: • Expressive enough for many applications. • Large class of simple, efficient, and well-studied manipulation algorithms. • Deterministic automata admit a canonical form. 17

Example: Unbounded FIFO Channels Framework: • The data domain is of the form Σ ∗ 1 × Σ ∗ 2 × · · · × Σ ∗ n , where – n > 0 is the number of channels, – each Σ i is the finite message alphabet of the i -th channel q i ; – the Σ i are assumed to be distinct. • The data operations are limited to – send operations q i ! a , and – receive operations q i ? a for each i ≤ n and a ∈ Σ i . q i q i ? a q i ! a a a · · · 18

Encoding Channel Contents Principles: • The sequential encoding E S maps every channel-set content ( w 1 , . . . , w n ) onto the concatenation w 1 · w 2 · · · w n of the individual channel contents. The set of valid encodings is thus V = Σ ∗ 1 · Σ ∗ 2 · · · Σ ∗ n . • A Queue Decision Diagram (QDD) representing a set U ⊆ Σ ∗ 1 × Σ ∗ 2 × · · · × Σ ∗ n is a finite-state automaton accepting the language E S ( U ). Property: The sets that are representable by QDDs are exactly those that can be expressed as a finite union of Cartesian products of regular languages over the message alphabets. 19

QDDs: Data Operations Send: a a b a + b : a a b b ( q ! b )[ a + b ]: Receive: a a b ( q ? a )[ a + b ]: 20

Iterating Sequences of Data Operations In order to add meta-transitions to a channel system, one must be able to compute the effect of repeating a sequence of channel operations. To compute σ ∗ ( A ) from a sequence of operations σ and a QDD A , we proceed as follows: • We unroll σ ∗ ( A ) = � k σ k ( A ). • Some periodicity will eventually occur within the σ k ( A ). • This periodicity can be captured by a finite structure. 21

Iterating a Sequence on a QDD a b a ∗ b : a b b b b · · · ( q ! b ; q ? a ) ∗ [ a ∗ b ]: a b b Theorem: This operation can always be performed if there is no more than one channel in the system. 22

QDDs: Operations on Multiple Channels • For single operations, one simply operates as before on the part of the QDD corresponding to the relevant channel. • The result of iterating a sequence of operations cannot always be represented as a QDD. Example: ( q 1 ! a ; q 2 ! b ) ∗ . The problem comes from the ability to count the number of iterations from the content of two or more channels. • When at most one channel allows to count the number of iterations, one can combine the result of handling separately the different channels. 23

3. Unbounded Integer Variables 24

Framework • The data domain is Z n ; • The data operations are of the form x + � P� x ≤ � q − → x := A� � b, q ∈ Z m , A ∈ Z n × n , and � with P ∈ Z m × n , � b ∈ Z n . x 1 = x 2 = 0 Example: 0 0 x 1 := x 2 + 1 x 2 := x 1 + 1 x 1 := 0 x 2 := 0 1 1 x 1 ≤ x 2 x 2 < x 1 x 2 == 0 x 1 == 0 2 2 25

Number Decision Diagrams Principles: • Integers are encoded in a base r > 1, most or least significant digit first. • Negative numbers are encoded by their r ’s complement. • The number of digits p in the encodings of z is not fixed, but must satisfy − r p − 1 ≤ z < r p − 1 . Examples: 0 + 1100 Enc 2 (12) = 1 + 001 . Enc 2 ( − 7) = 26

• Vectors are encoded by reading repeatedly one digit for each component, in a fixed order. • The component digits can be combined in several ways. Synchronous encoding: Enc 2 (( − 4 , 6 , 3)) = (1 , 0 , 0) + (1 , 1 , 0)(0 , 1 , 1)(0 , 0 , 1) Serial encoding: Enc 2 (( − 4 , 6 , 3)) = (100) + 110011001 . • An NDD representing a set S ⊆ Z n is an automaton accepting all the encodings of all the elements in S . 27

From Linear Constraints to NDDs An NDD representing the set x ∈ Z n | � { � x = b } a.� can be constructed by • associating to each state q an integer β ( q ) such that any path ending in q reads a solution of � x = β ( q ); a.� • starting the construction from a state q F such that β ( q F ) = b ; • applying a backward propagation rule: � d q ′ q β ( q ) = β ( q ′ ) − � a.� d r 28