Towards a model-checker for counter systems S. Demri 1 A. Finkel 1 V. - - PowerPoint PPT Presentation

Towards a model-checker for counter systems

• S. Demri1
• A. Finkel1
• V. Goranko2
• G. van Drimmelen2

1LSV, CNRS & ENS Cachan & INRIA Futurs 2University of Witwatersrand, Johannesburg

ATVA, October 2006, Beijing

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks

Overview

Motivations Counter systems (CS) Fast success story Presburger temporal logic Presburger counter systems Specification language Problems Decision procedure Admissible CS Translation into PA Procedure Flattening Completeness Concluding remarks

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Counter systems (CS) Fast success story

Counter systems

◮ Model-checking of infinite-state systems needed for formal

verification.

◮ Ubiquity of counter systems (CS)

◮ Embedded systems/protocols, Petri nets, . . . ◮ Programs with pointer variables.

[Bardin et al, AVIS 06; Bouajjani et al, CAV 06]

◮ Broadcast protocols.

[Leroux & Finkel, FSTTCS 02]

◮ Logics for data words.

[Boja´ nczyk et al, LICS 06]

◮ (High) undecidability

◮ Checking safety properties for CS is undecidable. ◮ Checking liveness properties for CS is Σ1

1-hard.

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Counter systems (CS) Fast success story

Taming counter systems

◮ Classes with decidable reachability problems

◮ Reversal-bounded CS.

[Ibarra, JACM 78]

◮ Flat relational CS.

[Comon & Jurski, CAV 98]

◮ Flat linear CS.

[Boigelot, PhD 98; Finkel & Leroux, FSTTCS 02]

◮ Petri nets.

[Kosaraju, STOC 82]

◮ Verification techniques

◮ Acceleration method, . . .

[Boigelot & Wolper, CAV 94; Finkel & Leroux, FSTTCS 02]

◮ Flatness is central in the verification of CS.

[Leroux & Sutre, ATVA 05; Bardin et al, ATVA 05]

◮ Tools: Fast, Lash, TReX, . . .

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Counter systems (CS) Fast success story

Fast success story

◮ Verification of standard examples from Petri nets to TTP

protocol and broadcast protocols.

◮ Cornerstones:

◮ Flat CS with Presburger-definable reachability sets. ◮ Homomorphisms between CS and flat CS preserving the

reachability sets.

◮ Complete procedure in Fast to enumerate flattenings.

◮ Fast Extended Release.

[Bardin & Leroux & Point, CAV 06]

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Counter systems (CS) Fast success story

Our motivations

Theoretical ground to verify richer properties within Fast

◮ To design classes of counter systems with decidable temporal

properties richer than reachability (` a la CTL⋆, . . . ).

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Counter systems (CS) Fast success story

Our motivations

Theoretical ground to verify richer properties within Fast

◮ To design classes of counter systems with decidable temporal

properties richer than reachability (` a la CTL⋆, . . . ).

◮ To provide the adequate notion of trace-flattening for such

richer properties (preservation of traces, bisimulation, . . . ).

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Counter systems (CS) Fast success story

Our motivations

Theoretical ground to verify richer properties within Fast

◮ To design classes of counter systems with decidable temporal

properties richer than reachability (` a la CTL⋆, . . . ).

◮ To provide the adequate notion of trace-flattening for such

richer properties (preservation of traces, bisimulation, . . . ).

◮ To design a procedure to enumerate trace-flattenings and then

check the temporal properties.

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Presburger counter systems Specification language Problems

Presburger counter systems (PCS) Σ, Q, T

q0 q1 q2

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Presburger counter systems Specification language Problems

Presburger counter systems (PCS) Σ, Q, T

q0 q1 q2 ψ(x, x′) ψ′(x, x′) x′

1 = x′ 2 = x′ 3 = 0

x′

1 = x1 + 1

x′

2 = x2 + 1

x′

3 = x3 + 1 ◮ Labels: Presburger formulae over

◮ x = x1, x2, x3 (current values). ◮ x′ = x′

1, x′ 2, x′ 3 (next values).

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Presburger counter systems Specification language Problems

Presburger transition systems (PTS)

Presburger CS − → Presburger TS C = Σ, Q, T → SC = S, →

◮ S = Q × Nn. ◮ q, a → q′, a′ iff ∃q ψ(x,x′)

− − − → q′ ∈ T s.t. a, a′ | = ψ(x, x′).

◮ Configuration path π: infinite path in S, →.

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Presburger counter systems Specification language Problems

FOCTL⋆(Pr) formulae

ϕ ::=

Pr

• ψ(t) | ¬ϕ | ϕ ∧ ϕ |

CTL⋆

• Xϕ | ϕUϕ | Aϕ |

FO

∃ y ϕ .

◮ Variables:

x0: control state. x1, . . . , xn: counters. y, z, t, . . .: auxiliary variables.

◮ ψ(t): Presburger formula with free variables from tuple t.

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Presburger counter systems Specification language Problems

Satisfaction relation

π, i | =env ϕ

◮ π: infinite configuration path of some transition system SC.

ϕUϕ′,ϕ ϕ ϕ ϕ ϕ′

◮ i: position along π. ◮ env: environment VAR → N. ◮ ϕ: FOCTL⋆(Pr) formula.

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Presburger counter systems Specification language Problems

Main clauses of | =env

◮ π, i |

=env ψ(t) iff π(i), env | = ψ(t) in PA,

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Presburger counter systems Specification language Problems

Main clauses of | =env

◮ π, i |

=env ψ(t) iff π(i), env | = ψ(t) in PA,

◮ π, i |

= Xϕ iff π, i + 1 | = ϕ,

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Presburger counter systems Specification language Problems

Main clauses of | =env

◮ π, i |

=env ψ(t) iff π(i), env | = ψ(t) in PA,

◮ π, i |

= Xϕ iff π, i + 1 | = ϕ,

◮ π, i |

=env ∃yϕ iff there is m ∈ N such that π, i | =env[y←m] ϕ,

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Presburger counter systems Specification language Problems

Main clauses of | =env

◮ π, i |

=env ψ(t) iff π(i), env | = ψ(t) in PA,

◮ π, i |

= Xϕ iff π, i + 1 | = ϕ,

◮ π, i |

=env ∃yϕ iff there is m ∈ N such that π, i | =env[y←m] ϕ,

◮ π, i |

= ϕUϕ′ iff there is some j ≥ i s.t. π, j | = ϕ′ and for i ≤ k < j, we have π, k | = ϕ,

◮ π, i |

= Aϕ iff for every infinite configuration path π′ s.t. π′

≤i = π≤i we have π′, i |

= ϕ.

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Presburger counter systems Specification language Problems

Examples of properties

Determinism : The reachability graph is deterministic: AG

• 0≤i≤n

¬∃y(EX(xi = y) ∧ EX(xi = y)).

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Presburger counter systems Specification language Problems

Examples of properties

Determinism : The reachability graph is deterministic: AG

• 0≤i≤n

¬∃y(EX(xi = y) ∧ EX(xi = y)). Boundedness : The reachability graph is finite: ∃yAG

• 1≤i≤n

xi ≤ y.

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Presburger counter systems Specification language Problems

Local model checking

◮ input:

◮ C: PCS ; q, a: configuration ◮ ϕ: formula

◮ output:

1 iff for every path π s.t. π(0) = q, a, we have π, 0 | = ϕ Local MC is highly undecidable!

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Admissible CS Translation into PA

Flatness

A PCS is flat if every control state belongs to at most one cycle with no repeated vertex.

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Admissible CS Translation into PA

Flatness

A PCS is flat if every control state belongs to at most one cycle with no repeated vertex.

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Admissible CS Translation into PA

Functionality

◮ A PCS C is functional iff every formula ψ(x, x′) labeling a

transition in C defines a partial function.

◮ It is decidable whether a given PCS is functional. ◮ The reachability problem is not decidable for all:

◮ flat linear PCSs.

[Cortier, TIA 02]

◮ PCSs (Matrix = Id).

[Minsky, 67]

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Admissible CS Translation into PA

Counting acceleration - Definitions

◮ R ⊆ Nn × Nn.

a, i, b ∈ RCA iff a, b ∈ Ri.

◮ R has Presburger counting acceleration (pca) iff RCA is

Presburger-definable.

◮ A PCS C has pca iff every cycle relation in the control graph

• f C has the pca.
• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Admissible CS Translation into PA

Admissible Presburger CS

Definition

A PCS is admissible if it is flat, functional, and has the pca.

◮ Reachability relation is Presburger-definable for flat PCS with

pca, see e.g. [Finkel & Leroux, FSTTCS 02].

◮ Flatness and functionality are decidable properties. ◮ pca is conjectured undecidable, see [Leroux, TR LABRI 06].

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Admissible CS Translation into PA

An almost admissible PCS C

q0 q1 q2 id id x′

1 = x′ 2 = x′ 3 = 0

x′

1 = x1 + 1

x′

2 = x2 + 1

x′

3 = x3 + 1 ◮ The PCS C is functional, has the pca but it is not flat. ◮ Local model-checking on C with FOLTL⋆(Pr) is Σ1 1-hard.

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Admissible CS Translation into PA

Encoding configuration paths in Presburger arithmetic

◮ Control path: infinite control path in C. ◮ Path schemas:

q0 q2 q1 q4 q5 q3 q6 q7 x′ = 2x x′ = x + 1 x′ = 2x x′ = x − 1 x′ = x

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Admissible CS Translation into PA

Control path description

◮ Control path description: path schema + counters for cycles.

q0 q2 q4 q5 q7

N ω

For admissible PCS,

◮ every control path has a unique control path description. ◮ a configuration path is determined by

a control path description + an initial configuration.

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Admissible CS Translation into PA

Local MC is Presburger-definable

◮ Admissible PCS C and FOCTL⋆(Pr)formula ϕ. One can

compute a Presburger formula ψ(x) such that for every configuration q, a, q, a | = ψ(x) iff C, q, a | = ϕ.

◮ Local model-checking over admissible PCS for FOCTL⋆(Pr) is

decidable.

◮ Decidable extensions:

◮ Past-time operators S, X−1. ◮ CQDD-based temporal operators `

a la Wolper.

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Flattening Completeness

Flattening [Bardin et al, ATVA 05]

Let C = Σ, Q, T and C′ = Σ, Q′, T ′ be PCSs, f : Q′ → Q. C′, q′ is a f -flattening of C, q iff

◮ f (q′) = q, ◮ C′ is flat, ◮ r ψ(x,x′)

− − − → s ∈ T ′ implies f (r)

ψ(x,x′)

− − − → f (s) ∈ T.

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Flattening Completeness

A flattable non flat PCS

ψ1 ψ2 ψ3

ψ1

def

= x = 1 ∧ ψ ψ2

def

= x′ = 0 ∧ ψ′ ψ3

def

= x = 0 ∧ x′ = 1 ∧ ψ′′

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Flattening Completeness

A flattable non flat PCS

ψ1 ψ2 ψ3

ψ1

def

= x = 1 ∧ ψ ψ2

def

= x′ = 0 ∧ ψ′ ψ3

def

= x = 0 ∧ x′ = 1 ∧ ψ′′

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Flattening Completeness

Another flattable non flat PCS

q1 q2 q3 q4 q6 q5 x = y = 0 x > 0 y ≤ x x = y ∧ x′ = y ′ = 0 x′ = x + 1 x′ = x + 1 y ≤ x ∧ y ′ = y + 1 y ′ ≤ x ∧ y ′ = y = 1

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Flattening Completeness

Trace-flattening

◮ C′, q′ is a f -trace-flattening of C, q wrt ψ(x) iff

◮ C′, q′ is a f -flattening of C, q. ◮ Preservation of sets of traces:

tracesC(q, ψ(x)) = f (tracesC′(q′, ψ(x))).

◮ C′, q′ f -flattening of C, q and C′ admissible. It is decidable

whether C′, q′ is a trace-flattening of C, q wrt ψ(x).

◮ C′, q′ trace-flattening of C, q wrt a.

C′, q′, a | = ϕ iff C, q, a | = ϕ, for any ϕ from the LTL fragment.

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Flattening Completeness

Model-checking(C: funct. PCS + pca; ϕ: FOLTL(Pr))

procedure model-check(C, q, a, ϕ)

• 1. found := false;
• 2. while not found do

2.1 Choose fairly a flattening C′, q′ of C, q; 2.2 if C′, q′ is a trace-flattening of C, q then found := true;

• 3. return C′, q′, a |

= ϕ.

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks Flattening Completeness

Completeness

Theorem

(I) model-check(C, q, a, ϕ) terminates iff C, q has a trace-flattening wrt to q, a. (II) When model-check(C, q, a, ϕ) terminates, it returns whether C, q, a | = ϕ holds true.

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems

Motivations Presburger temporal logic Decision procedure Procedure Concluding remarks

Conclusion

◮ Procedure to verify first-order LTL properties over

trace-flattable CSs.

◮ Decidability of model-checking FOCTL⋆(Pr) over admissible

CSs.

◮ Open problems:

◮ Extension to bisimulation-flattening (preserving CTL⋆

properties)?

◮ What are the trace-flattable systems in the literature? ◮ Decidability status of model-checking “Presburger

mu-calculus” over admissible PCS?

◮ Complexity of local model checking admissible PCS over

FOCTL⋆(Pr) when each ψ(x, x′) is quantifier-free?

• S. Demri, A. Finkel, V. Goranko, G. van Drimmelen

Towards a model-checker for counter systems